My journey to OSCP

Intro

I spent the last five months learning for OSCP and today I finally received the good news:

In this post I want to describe my journey together with some tips and tricks which helped me. I know that there are lots of “OSCP review” posts out there but reading them helped me keeping motivated and I try to cover different things in my post.

The lab network

The reason why it took me five months to finish OSCP was that I wanted to solve all lab machines. The lab is the heart of OSCP and if you don’t solve all the lab machines you won’t get the full experience out of it. Please note that you will likely not need five months to finish all lab machines. I was studying during OSCP (30 ECTS for my master in the same five months), working in a new job at Kapsch as pentester (16h / week; but I was allowed to do some stuff for OSCP) and participated in CTFs (for example, our university participated in the locked shields partner run where we got 2^nd and we had to prepare stuff for it). I also took several times one or two week breaks because I just couldn’t see a machine anymore. I really recommend that you do OSCP in your own pace. OSCP is a huge learning experience and learning should make fun and not be stressful. Always keeping a good work-life-balance is important in info-sec, not only during OSCP.

Reading through the PDF document, watching the provided videos and solving most of the tasks took me around two weeks. I highly recommend solving the provided tasks because they will also help you in the lab.

The lab machines itself are not very hard, I solved most systems in 2-4 hours. The full lab is also not hard, it’s just time-consuming. In total there were 54 lab machines in my network (I think the number sometimes changes a little bit because some new machines are added or old ones are removed) plus one extra firewall / proxy system which not belongs to the course, but which can be hacked. Sometimes I got stuck and it took a little bit longer. This is especially the case with systems with dependencies, which require that you first solve another system. My personal favorite system was humble, I highly recommend solving this system.

I also recommend staying away from the forum before you solve a system. There are lots of hints in the forum which can direct you to the correct solution, but you should try to solve it yourself. The IRC bot hints are (in my opinion) completely useless, they confused me more than they helped, especially on most systems I don’t know what they mean even though I already solved the machine. I think that’s because of the “try harder” mantra, offensive security doesn’t want to spoil too much, and you should therefore just try harder.

However, when you successfully owned a system, I recommend reading the forum because there are often multiple ways to solve the system (at least in the lab!). Reading all forum post to one system can even take 6-8 hours. Some systems have 2-4 different ways to compromise them or on some systems you can use 6 or 7 different kernel exploits.

I think it's very important to finally read, understand and manually reconstruct every exploit you used (maybe except kernel exploits). Offensive security does not teach you to hack (I already knew how to exploit a SQLi, LFI, Command Injection, …), instead they teach you to get a structured approach (a good methodology), how to deal with motivation, time pressure and rabbit holes and challenge you to learn stuff yourself. And you get a lot of practice. Some people complain that the lab systems are old and yes, most of the systems are old, however, attacking newer systems is not that different to attacking older systems. Maybe some attack techniques change, but the underlying steps which you conduct (the methodology) are always the same (together with the key learnings like being structured and dealing with stress and rabbit holes).

For me the only negative aspect of the old lab was that the lab was a lot simpler because systems had multiple solutions.

The exam

It’s funny how my confidence in solving the exam changed over the time. Before I started OSCP I was thinking “yes, I’m going to easily solve the exam because I work several years as pentester”. When I was in the lab my confidence decreased and my mind went to: “oh shit, I hope that the exam won’t contain systems like humble, gh0st, sufferance. This could be hard in 24 hours”. After the lab I did additional preparation (reading again through my hackthebox writeups, solving vulnhub systems, ..), wrote huge checklists for every possible vulnerability / scenario they could introduce and also did a pre exam from vulnhub (https://h4cklife.org/2018/05/22/a-pre-exam-for-future-oscp-students/). I solved the pre exam in 4-5 hours without troubles. I was pretty confident and was ready to solve the OSCP exam in the same timeframe.

And then it was exam day. And holy fuck, I was seriously not expecting this. Buffer overflow was simple. I calculated 20-30 minutes for buffer overflow, however, it took me 45-60 minutes. But no problem, still good in time. I then got my second shell after approximately one (maybe two?) hours but then I got stuck in several rabbit holes. Privilege escalation would had been easy, but I was extremely stupid and did a very stupid mistake. Luckily, I detected it some hours later and solved the full system (this was very stupid and here I wasted a lot of time for nothing).

And with the other systems: It didn’t matter what I was trying, I just couldn’t get a foothold. And time went by. I think that was the moment where I first thought that I could fail the exam. Although it was still very early in the exam (5 hours in the exam, so 19 hours left) I was surprised by the machines and that I didn’t know how these could be solved and why nothing was working.

I think a big problem was that I was very chaotic and unstructured. In the lab I solved one system after another. In the exam I started in 9 tmux tabs attacks against four systems simultaneously, always switching between one tab and checking the output of the tool which just finished. I would not recommend this approach for the exam, I think it was maybe the source of flaws and the reason why stuff was not working.

After the 5 hours I started to begin a new approach and do everything again to check if I maybe missed something. Some hours later I solved an additional machine (privilege escalation was easy, I think I did it in 10 minutes or something like that) and was then sure to pass the exam. The big pressure felt off. Then I started to write the report just to ensure that I have all required screenshots for my systems (this took me 1-2 hours).

When I finished, I started to attack the next system and I did the same (start enumeration from zero and behaving like I would know nothing yet about the system) again and I could solve it. I don’t know why the things were not working the first time. I’m pretty sure (like 80-90%) that I did exactly the same things multiple times before, however, this time it was magically working. Hint: Some people recommended to record the screen during the exam, however, I was not doing that because I thought that I will take enough screenshots. In retrospect, it would have been really nice to check if I did something wrong in the first attempts. So, my recommendation: Record your screen during the exam. Privilege escalation was also simple for this system. I then also wrote the report for this system which again took 30-60 minutes.

So, I had four systems solved and a roughly written report. I was approximately 13 hours in the exam (I also took in these 13 hours several shorter breaks and a one hour break to play some computer games).

I then started with the last and hardest machine. I was doing some hours enumeration and I’m pretty sure that I know the entry point. It was already 07:00 in the morning (I started 17 hours ago at 14:00), but then decided to go sleeping. In the end it would had been really nice to know if my assumed entry point was the correct one or a huge, huge (really huge!) rabbit hole, but yeah, that’s life. I’m a little bit disappointed that I solved all lab machines but not all exam machines, but maybe I replicate the system in my home lab to finish it.

In the end the exam was harder then I expected, but I also think that I would had solved the exam even if I would not had done the lab. But the lab was a nice experience and I still recommend solving it!

Tips

• Google the point allocation of the exam machines. According to the exam guide 70 points are required to pass (and you get 5 bonus points for a lab and exercise writeup), so do the math to know in which order you must solve the systems… Also calculate what system you must finish if you can’t do privilege escalation on one system.
•  Create checklists. During the exam you will be under pressure. It can help to think about stuff you can do in “worst case” before. So that you can look at the checklist during the exam which can help you to get a different view on the problem.
• The proctoring was no problem for me, everything was working. You can just login 15-20 minutes before your exam. You can’t install the required software before, but everything was working without a problem on my system (host OS was Windows 10). The proctors (I had several) were really nice. However: Note that the proctoring software allows the proctor to access silently the files on your system! So, remove important stuff before the exam.
• Offensive Security recommends checking your webcam before – especially if someone can read your passport via the webcam. I had a very good webcam, so lazy as I was, I didn’t check it. And yes, it was really not working very good because of the light. So, check this before!
• I was working a lot with bash aliases. I created bash aliases to change directory to all important directories (oscp, tools, webserver, downloads folder, share folder, my notes folder). I have a bash alias to start a webserver in a preconfigured folder (so that my commands to download for example LinEnum, PowerUp, invoke-powershelltcp are always the same) and one to start it in the current folder. Also ensure to write the aliases reusable (e.g. don’t hardcode your lab IP or network adapter because they will be different in the exam). I also have a bash alias to start a reverse shell on Linux and Windows (start nc, display my ip, and copy the correct command to start the shell into my clipboard), one to start recon and one to start gobuster. To enable or disable my firewall and to open and close ports. To start a quick and a long (default + vuln scripts) nmap scan and so on. I have bash aliases for really every task.
• I recommend using a tool to automate enumeration. I was using reconnoitre, but there are also nmapAutomator, AutoRecon, faraday, reconscan.py and Enumerator. In my opinion reconnoitre is the best because it just runs nmap and gives you the commands to start further recon tools (so that you know what you are running because you started the commands yourself). But it’s good to read through the code of the other tools to see which commands and tools these enumeration scripts are running.
• For me the biggest surprise of the lab was the power of nmap NSE scripts. These are really powerful and can help a lot. For example, when you find a new software / service, just grep first for NSE scripts (command “locate .nse | grep -i <service>”) and run the scripts first! (you can run scripts with wildcards)
• In my opinion one of the most powerful file transfer techniques to windows is SMB. Since the course doesn’t teach this technique, I want to mention it here. Just start a SMB server for the current folder on your kali box with “impacket-smbserver share .”. Then you can access files on (most) Windows systems with “copy \\<your-ip>\share\filename.exe localFilename.exe”. Plus: You get the netntlm hash which you can try to crack.
• I recommend always reading the full advisory. You will often find an advisory with a short PoC and the PoC is directly working. However, in many cases the advisory contains additional information and if you don’t read them, you will regret it. For example, some advisory also contain hints for privilege escalation or some advisories first mention exploits for authenticated users and afterwards (!) the unauthenticated exploits.
• You can also solve hack the box and vulnhub machines before you start OSCP. The spreadsheet https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview# has some good candidates. I recommend to first solve the hack the box systems (notice that the spreadsheet has a second tab), then solve the full OSCP lab and schedule your exam approximatly 2 weeks after the lab ended. Then you can solve a pre exam (https://h4cklife.org/2018/05/22/a-pre-exam-for-future-oscp-students/) and after that you can try the listed vulnhub machines. Since the pre exam uses five machines from vulnhub it would not make sense to do the pre exam if you already solved the vulnhub machines. I therefore recommend to do the vulnhub machines after the OSCP lab.
• And of course: Watch ippsec videos on youtube! A good place to search for content in IppSec videos is: https://shellock.me/IppsecTribute/
• And here are some important links:

https://sushant747.gitbooks.io/total-oscp-guide/

https://ired.team/offensive-security-experiments/offensive-security-cheetsheets

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

https://guif.re/linuxeop

https://github.com/rebootuser/LinEnum

https://www.fuzzysecurity.com/tutorials/16.html
https://guif.re/windowseop

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

https://github.com/SecWiki/windows-kernel-exploits

https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

https://recipeforroot.com/

https://github.com/sagishahar/lpeworkshop

https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/