Intro
I spent the last five months learning for OSCP and today I finally received
the good news:
In this post I want to describe my journey together with some tips and tricks which helped me. I know that there are lots of “OSCP review” posts out there but reading them helped me keeping motivated and I try to cover different things in my post.
The lab network
The reason why it took me five months to finish OSCP was that I wanted to
solve all lab machines. The lab is the heart of OSCP and if you don’t solve all
the lab machines you won’t get the full experience out of it. Please note that you
will likely not need five months to finish all lab machines. I was studying
during OSCP (30 ECTS for my master in the same five months), working in a new job at Kapsch as pentester (16h / week; but I was allowed to do some stuff for OSCP)
and participated in CTFs (for example, our university participated in the
locked shields partner run where we got 2nd and we had to prepare
stuff for it). I also took several times one or two week breaks because I just couldn’t
see a machine anymore. I really recommend that you do OSCP in your own pace. OSCP is a huge learning experience and learning should make fun and not be stressful. Always keeping a good work-life-balance is important in info-sec, not only during OSCP.
Reading through the PDF document, watching the provided videos and solving
most of the tasks took me around two weeks. I highly recommend solving the provided
tasks because they will also help you in the lab.
The lab
machines itself are not very hard, I solved most systems in 2-4 hours. The full
lab is also not hard, it’s just time-consuming. In total there were 54 lab
machines in my network (I think the number sometimes changes a little bit
because some new machines are added or old ones are removed) plus one extra
firewall / proxy system which not belongs to the course, but which can be
hacked. Sometimes I got stuck and it took a little bit longer. This is
especially the case with systems with dependencies, which require that you
first solve another system. My personal favorite system was humble, I highly
recommend solving this system.
I also recommend staying away from the forum before you solve a system.
There are lots of hints in the forum which can direct you to the correct
solution, but you should try to solve it yourself. The IRC bot hints are (in my
opinion) completely useless, they confused me more than they helped, especially
on most systems I don’t know what they mean even though I already solved the
machine. I think that’s because of the “try harder” mantra, offensive security
doesn’t want to spoil too much, and you should therefore just try harder.
However,
when you successfully owned a system, I recommend reading the forum because
there are often multiple ways to solve the system (at least in the lab!). Reading all forum post to one system can even take 6-8 hours. Some
systems have 2-4 different ways to compromise them or on some systems you can use
6 or 7 different kernel exploits.
I think it's very important to finally read, understand and manually reconstruct every exploit
you used (maybe except kernel exploits). Offensive
security does not teach you to hack (I already knew how to exploit a SQLi, LFI,
Command Injection, …), instead they teach you to get a structured approach (a
good methodology), how to deal with motivation, time pressure and rabbit holes and challenge you to learn stuff yourself.
And you get a lot of practice. Some people complain that the lab systems are
old and yes, most of the systems are old, however, attacking newer systems is
not that different to attacking older systems. Maybe some attack techniques
change, but the underlying steps which you conduct (the methodology) are always
the same (together with the key learnings like being structured and dealing
with stress and rabbit holes). 
For me the only
negative aspect of the old lab was that the lab was a lot simpler because systems
had multiple solutions.
The exam
It’s funny how my confidence in solving the exam changed over the time.
Before I started OSCP I was thinking “yes, I’m going to easily solve the exam
because I work several years as pentester”. When I was in the lab my confidence
decreased and my mind went to: “oh shit, I hope that the exam won’t contain
systems like humble, gh0st, sufferance. This could be hard in 24 hours”. After
the lab I did additional preparation (reading again through my hackthebox writeups,
solving vulnhub systems, ..), wrote huge checklists for every possible
vulnerability / scenario they could introduce and also did a pre exam from
vulnhub (https://h4cklife.org/2018/05/22/a-pre-exam-for-future-oscp-students/). I solved
the pre exam in 4-5 hours without troubles. I was pretty confident and was
ready to solve the OSCP exam in the same timeframe.
And then it
was exam day. And holy fuck, I was seriously not expecting this. Buffer overflow
was simple. I calculated 20-30 minutes for buffer overflow, however, it took me
45-60 minutes. But no problem, still good in time. I then got my second shell after
approximately one (maybe two?) hours but then I got stuck in several rabbit
holes. Privilege escalation would had been easy, but I was extremely stupid and did a very stupid mistake. Luckily, I detected it some hours later and
solved the full system (this was very stupid and here I wasted a lot of time
for nothing).
And with the
other systems: It didn’t matter what I was trying, I just couldn’t get a foothold.
And time went by. I think that was the moment where I first thought that I
could fail the exam. Although it was still very early in the exam (5 hours in
the exam, so 19 hours left) I was surprised by the machines and that I didn’t
know how these could be solved and why nothing was working.
I think a
big problem was that I was very chaotic and unstructured. In the lab I solved
one system after another. In the exam I started in 9 tmux tabs attacks against
four systems simultaneously, always switching between one tab and checking the
output of the tool which just finished. I would not recommend this approach for
the exam, I think it was maybe the source of flaws and the reason why stuff was
not working.
After the 5
hours I started to begin a new approach and do everything again to check if I
maybe missed something. Some hours later I solved an additional machine (privilege
escalation was easy, I think I did it in 10 minutes or something like that) and
was then sure to pass the exam. The big pressure felt off. Then I started to
write the report just to ensure that I have all required screenshots for my
systems (this took me 1-2 hours).
When I finished,
I started to attack the next system and I did the same (start enumeration from zero
and behaving like I would know nothing yet about the system) again and I could
solve it. I don’t know why the things were not working the first time. I’m
pretty sure (like 80-90%) that I did exactly the same things multiple times
before, however, this time it was magically working. Hint: Some people
recommended to record the screen during the exam, however, I was not doing that
because I thought that I will take enough screenshots. In retrospect, it would
have been really nice to check if I did something wrong in the first attempts. So,
my recommendation: Record your screen during the exam. Privilege escalation was
also simple for this system. I then also wrote the report for this
system which again took 30-60 minutes.
So, I had four
systems solved and a roughly written report. I was approximately 13 hours in
the exam (I also took in these 13 hours several shorter breaks and a one hour
break to play some computer games).
I then
started with the last and hardest machine. I was doing some hours enumeration
and I’m pretty sure that I know the entry point. It was already 07:00 in the
morning (I started 17 hours ago at 14:00), but then decided to go sleeping. In
the end it would had been really nice to know if my assumed entry point was
the correct one or a huge, huge (really huge!) rabbit hole, but yeah, that’s
life. I’m a little bit disappointed that I solved all lab machines but not all
exam machines, but maybe I replicate the system in my home lab to finish it.
In the end
the exam was harder then I expected, but I also think that I would had solved
the exam even if I would not had done the lab. But the lab was a nice experience and
I still recommend solving it!
Tips
- Google the point allocation of the exam machines. According to the exam guide 70 points are required to pass (and you get 5 bonus points for a lab and exercise writeup), so do the math to know in which order you must solve the systems… Also calculate what system you must finish if you can’t do privilege escalation on one system.
- Create checklists. During the exam you will be under pressure. It can help to think about stuff you can do in “worst case” before. So that you can look at the checklist during the exam which can help you to get a different view on the problem.
- The proctoring was no problem for me, everything was working. You can just login 15-20 minutes before your exam. You can’t install the required software before, but everything was working without a problem on my system (host OS was Windows 10). The proctors (I had several) were really nice. However: Note that the proctoring software allows the proctor to access silently the files on your system! So, remove important stuff before the exam.
- Offensive Security recommends checking your webcam before – especially if someone can read your passport via the webcam. I had a very good webcam, so lazy as I was, I didn’t check it. And yes, it was really not working very good because of the light. So, check this before!
- I was working a lot with bash aliases. I created bash aliases to change directory to all important directories (oscp, tools, webserver, downloads folder, share folder, my notes folder). I have a bash alias to start a webserver in a preconfigured folder (so that my commands to download for example LinEnum, PowerUp, invoke-powershelltcp are always the same) and one to start it in the current folder. Also ensure to write the aliases reusable (e.g. don’t hardcode your lab IP or network adapter because they will be different in the exam). I also have a bash alias to start a reverse shell on Linux and Windows (start nc, display my ip, and copy the correct command to start the shell into my clipboard), one to start recon and one to start gobuster. To enable or disable my firewall and to open and close ports. To start a quick and a long (default + vuln scripts) nmap scan and so on. I have bash aliases for really every task.
- I recommend using a tool to automate enumeration. I was using reconnoitre, but there are also nmapAutomator, AutoRecon, faraday, reconscan.py and Enumerator. In my opinion reconnoitre is the best because it just runs nmap and gives you the commands to start further recon tools (so that you know what you are running because you started the commands yourself). But it’s good to read through the code of the other tools to see which commands and tools these enumeration scripts are running.
- For me the biggest surprise of the lab was the power of nmap NSE scripts. These are really powerful and can help a lot. For example, when you find a new software / service, just grep first for NSE scripts (command “locate .nse | grep -i <service>”) and run the scripts first! (you can run scripts with wildcards)
- In my opinion one of the most powerful file transfer techniques to windows is SMB. Since the course doesn’t teach this technique, I want to mention it here. Just start a SMB server for the current folder on your kali box with “impacket-smbserver share .”. Then you can access files on (most) Windows systems with “copy \\<your-ip>\share\filename.exe localFilename.exe”. Plus: You get the netntlm hash which you can try to crack.
- I recommend always reading the full advisory. You will often find an advisory with a short PoC and the PoC is directly working. However, in many cases the advisory contains additional information and if you don’t read them, you will regret it. For example, some advisory also contain hints for privilege escalation or some advisories first mention exploits for authenticated users and afterwards (!) the unauthenticated exploits.
- You can also solve hack the box and vulnhub machines before you start OSCP. The spreadsheet https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview# has some good candidates. I recommend to first solve the hack the box systems (notice that the spreadsheet has a second tab), then solve the full OSCP lab and schedule your exam approximatly 2 weeks after the lab ended. Then you can solve a pre exam (https://h4cklife.org/2018/05/22/a-pre-exam-for-future-oscp-students/) and after that you can try the listed vulnhub machines. Since the pre exam uses five machines from vulnhub it would not make sense to do the pre exam if you already solved the vulnhub machines. I therefore recommend to do the vulnhub machines after the OSCP lab.
- And of course: Watch ippsec videos on youtube! A good place to search for content in IppSec videos is: https://shellock.me/IppsecTribute/
- And here are some important links:

 
The dual knowledge in law and medicine that Al-Razi brings to the table is rare and powerful. Their legal-medical insights helped us avoid major risks in our practice.
AntwortenLöschenFor More Details: https://alraziconsultants.com/