A Journey called OSCP!
Hi Guys, hope you and your loved ones are safe and doing well😊. Today I will be sharing how I prepared for one of the toughest but considered beginner level certification in the cybersecurity domain - Offensive Security Certified Professional(OSCP) and cleared it in the first attempt.
I am truly grateful to have constant support and motivation from my family and friends during this amazing journey, I could not have done this without them. This post is my personal experience and hence very subjective.
I am hoping this post would be helpful and informative for future OSCP aspirants and anyone who is willing to Try harder.
After referring to a lot of OSCP pass/fail blogs, I got to know that OSCP is all about enumeration and strong methodology. To improve in these two aspects I watched Ippsec’s videos of multiple boxes regularly and took a lot of notes.
I purchased a HackTheBox VIP subscription and solved almost all of the machines from TJ_Null’s OSCP like VM’s (updated) list from HackTheBox and Vulnhub as suggested by a lot of other students. I would highly recommend anyone preparing for OSCP to solve the boxes from this list. I can’t stress enough how similar to this list the boxes in OSCP labs are until you solve it.
It took me almost 2 months to go through this list, one box at a time and taking detailed notes along the way. The methodology which I followed is as below:
1. I would first give my 100% to solve the boxes on my own without any hints
2. If I am not able to get any foothold/solve the box for about 3–4 hrs, I would check the hints on HTB forums. It is ok to see hints/walkthroughs if you believe you are stuck after trying hard enough and trying every possible way you can think of. Just remember to learn something new from each box and apply it to the next box you solve.
3. After rooting the box I would watch Ippsec’s walkthrough videos and read various other walkthroughs posted by InfoSec community just to see their methodology and what different things they did to solve the same box and note down those things which I had missed.
The above methodology did help me to improve my enumeration as well as privilege escalation skills. In the resources section I will be providing links to all the resources I used while preparing for OSCP so don’t worry 😊.
Offsec had recently updated their course materials and the lab machines for PWK Version 2. By looking at the huge syllabus, I decided to go for 3 months of lab access as I had decided to complete all the lab machines and the exercises along with the lab report. After reading a lot of OSCP review blog posts/threads, I decided to register for OSCP in August 2020.
I got my lab access on 13th September 2020.
As I had opted for 3 months of lab access, I decided to read the PDF and watch the videos first. I was able to complete those in about 10 days. The PDF and videos prepare you for the lab machines. I would recommend going through the course materials first and then solve the lab machines.
While going through the labs, I had a plan of completing at least 2 machines per day. Having a day job (8–9 hrs) makes it somewhat difficult but most of the time I was able to achieve that target. I would invest around 6–7 hrs daily for the lab machines (2 hrs before office time and 4–5 hrs after office time).
There will be ups and downs while you are going through the labs for sure. For example, some days were like I was not able to root even a single machine for 2–3 days, and some days (mostly weekends) were like I did solve 3–4 machines in a day. So the rate varies and depends on the difficulty of the box and the amount of time you can invest in the labs. Although the labs are the most fun, challenging, and rewarding part of this journey you will definitely experience all kinds of emotions while solving the lab machines - happiness, anger, fear, sadness, anxiety, etc., if not then probably you are missing something 😛, so be sure to learn and enjoy to the fullest while you are at it.
Don’t forget to check out Offsec Try Harder song, It will help you get pumped before your intense hacking sessions 😉😛
While solving the lab machines, ensure you take detailed notes of each and every step you take while rooting the boxes. This will help you stay organized and will help you to have a template that can be used later while writing the final exam.
Additionally, I had created an Excel sheet with details like → “IP, Hostname, OS, Date, Foothold, Privesc, Connected to Other networks?, Loot” etc. for all the 66 machines. This helped me quickly identify unique machines that need to be documented in the lab report. The OSCP labs are not CTF’s so make sure you do a good amount of post-exploitation after you have rooted the machines as there are dependent machines in the labs.
I used Cherrytree for the purpose of note-taking. There are other tools for note-taking like one note, Joplin, etc. but I prefer Cherrytree. You can add a sub-node under Recon node as you find various services and take notes accordingly.
As shown below the Try node is where I would note down the things I need to try after completing the full scan and identifying all the services. The reason is, many times in the labs and in the exam you may come across a lot of services running on various ports, so to stay organized, to have a methodical approach, and to avoid rabbit holes I used this approach. Also, I would enumerate a service for about ~30 minutes, if I do not get anything useful, I used to move on.
Now, while solving the machines you can do few things
1. Solve the machines sequentially or
2. Scan the entire subnet and start with low hanging fruits
It doesn’t matter which way you solve, the important thing is you should do enough enumeration to identify which box is dependent and which is not because the lab is designed as a real-world network, and trust me this will save you a ton of time when you progress in the labs.
Recently, Offsec introduced PWK Labs Learning Path (starting point target machines), which includes mapping of some of the lab machines and the PDF modules which you can refer to while solving these boxes along with hints to compromise them. Do check it out.
Offsec has published PWK machines statistics here. I have seen people who have solved all the lab machines but did not pass the exam. So the important thing is to solve as many lab machines as you can while learning new things and adopting, improving your methodology each time you solve a lab machine. This will definitely prepare you for the final exam challenge.
Following this plan, I was able to root all the 66 lab machines including all the networks (Public, IT, Dev, Admin) in about ~50 days.
As I had completed all the lab machines pretty early, I started writing the lab report along with lab exercises which gets you 5 bonus points. The lab exercises are huge and a pain in the a**. It took me quite a while to complete all the lab exercises due to which I had a massive lab report of about ~400 pages but it was worth it, who knows when that 5 bonus point will come in handy and make a difference on the final points?.
I revisited all the boxes again just to ensure my notes are accurate and reproducible. I purchased a 1 month HTB subscription again to practice on more machines as I had a lot of time remaining in the labs.
Buffer Overflow Practice
I was also practicing Buffer Overflow on TryHackMe. The OSCP exam buffer overflow is similar to this room and it will give you enough practice, so it is highly recommended to complete this before the exam. Along with this room, the extra mile exercises in the PDF for buffer overflow will sharpen your buffer overflow skills. I had done a good amount of practice on about ~20 different applications that were vulnerable to buffer overflows. I will give the links to some of them in the Resources section.
On a side note, for some genuine technical reasons from the Offsec end, if you are not able to access the labs, then Offsec might generously give you an extra day as compensation. This happened with me 4 times during my lab time and hence I got extra 4 days. Thanks, Offsec for understanding!
Try harder mantra won’t work every time, so take a break, refresh your mind and then again Try harder! — John Hammond
In the week before the exam, to have a feel of the exam and to get in terms with the time limit, I did solve a pre-exam with time limit. Some machines restored faith in my skills while in some machines I got to improve my methodology and skill sets.
I had scheduled my exam at 10.30 AM (IST) on 3rd January 2021.
You will be able to access the proctoring software 15 mins before your exam time, so I joined the proctoring session at 10.15 AM. I had my ID verified smoothly, but unfortunately, my 2nd screen was not visible to the proctor as I had attached an external monitor to my main system. Troubleshooting this wasted my 30 mins and hence my actual starting time was 11.00 AM. I thought of asking Offsec for extra 30 minutes but then I thought to myself the whole focus should be on completing the machines and not on giving excuses...so I moved on to solving the machines.
As suggested by a lot of students, I had decided to follow the below plan in order on the exam, but sometimes things don’t go according to your plan 🤷♂️
- Solve 25 points machine (Buffer Overflow)
- Solve the 10 points machine
- Solve 20 points machine
- Solve 20 points machine
- Solve 25 points machine
As the screen troubleshooting issue wasted my 30 minutes, I was a little nervous. I initiated the scans on the hosts using “autorecon” which is a network recon tool allowed in the OSCP exam which automates the reconnaissance and enumeration of services. This is an awesome tool created by Tib3rius. An alternative to this tool is nmapAutomator.
- I completed the Buffer Overflow — 25 points machine in 30 minutes along with all the screenshots and the notes. I had created buffer overflow template notes which really helped me to note down critical steps for completing buffer overflow. The most important thing is to Identify bad characters, make sure you automate this process, and then manually verify it to be absolutely sure about the bad characters to solve it quickly without hampering the accuracy.
2. After taking a 10 -15 min break, I completed the 10 points machine in about 1 hour, ensuring that I was taking enough screenshots along with detailed steps I took to root the machine in Cherrytree.
So after about ~1.30 hours, I had 35 points.
3. I decided to go for the 20 points machine next. I reviewed the scan results and started doing further enumeration. I realized one entry point, but for some reason, I was not able to get a shell from that point. While starting the exam, I had decided to work for about 2 hrs on a machine and move on if no foothold was acquired. Following this approach, I decided to come back to this machine later on and went for lunch.
4. I started carefully reviewing the scan results for the 2nd 20 points machine. I noticed something in the results, did further enumeration, and was able to get a foothold. After performing detailed enumeration, Privilege escalation was straightforward on this machine and I ensured that I took enough screenshots and detailed notes while working on the machine.
About 10–12 hrs in the exam I had 55 points.
5. I decided to work on 25 points machine instead of the previous 20 points machine hoping that If I root this machine I will be able to pass the exam. I reviewed the scan results and started doing further enumeration. I was not able to figure out the entry point for quite some time. It was late night and I decided to sleep.
I slept for about ~2 hrs and got back to working on this machine. I performed a scan once again on this machine to ensure I am not missing any ports/services and the results were similar to the first scan. After a lot of scratching head and few cups of tea, I noticed something unexpected and tried enumerating it further and got the foothold finally!.
Offsec gives partial points for low privilege shell, so at this point around 16 hrs in the exam, I knew that I have 71.5 points including the 5 bonus points for the lab report. This is where those extra 5 points can make a difference!.
To not be dependent on those 5 bonus points, I performed all the enumeration techniques to escalate my privileges. Found some interesting information, did further enumeration then exploitation and guess what I was root!!.
At this point, I had 85 points and I was confident that I had passed.
In the remaining time, I wanted to root that 20 points machine which I had left earlier hoping that I would be able to get full points now, but unfortunately I was not able to solve that machine.
As the last thing, I decided to review my detailed notes and the screenshots once again just to make sure that I haven’t missed anything and decided to end the exam utilizing my full 23hrs and 45 minutes! These were the most intensive 24 hrs of my life for sure and I enjoyed every bit of it!
After ending the exam, I slept for about 5–6 hrs. I used the OSCP exam report template from here. I used that and filled in the required information including all the steps and necessary screenshots in the final report. You can use this or create your own template, just ensure that you write enough details so that the Offsec team should be able to reproduce your steps and root the machines.
After creating the detailed report with screenshots which was about 60~ pages, I proofread the report twice to ensure there are no grammatical mistakes, formatting errors, etc. as Offsec is very strict about the final report you submit.
At around 2.30 AM, I submitted the Exam report along with the Lab report and slept peacefully.
I got the long-awaited email from Offensive Security confirming that I have passed on 6th January, 24 hrs after submitting my report! 😄
I will try to mention the resources/links which I used during my OSCP preparation. Credit goes to respective authors. Please note this is not an exhaustive list and you can refer to other resources as well which are freely available on the internet.
OSCP Like Machines
- TJ_Null’s list of Hack the Box OSCP-like VMs
- IppSec’s videos of TJ_Null’s list of Hack the Box OSCP-like VMs
- Hack the Box OSCP Preparation
- Basic Linux Privilege Escalation
- FuzzySecurity Windows Privilege Escalation
- Windows Privilege Escalation Guide
- Linux Privilege Escalation for OSCP & Beyond!
- Windows Privilege Escalation for OSCP & Beyond!
- Windows Escalation of Privilege
- Linux Escalation of Privilege
- TryHackMe OSCP Buffer overflow Prep
- Minishare Buffer Overflow
- SLMail Buffer Overflow
- Vulnserver Buffer Overflow
- Brain Pan Buffer Overflow
OSCP Cheat Sheets
- Install a fresh copy of Windows and Linux on VMware/Virtual Box. Note down the default services, ports open on default installations so that it will be easier to identify unusual service while performing privilege escalation.
- Create a folder in any cloud storage provider, share that folder between your Kali VM and the host and then mount it to Kali. This will ensure that you have a backup with you all the time.
OSCP Exam and Lab Report Template
Last but not the least, as the saying goes
OSCP is not a destination, it is a journey!
So keep learning, be curious, and all the best!! Take care! Adios ✌
Hope it was helpful for anyone preparing for OSCP and if you have read until this point Thank you 😊
If you have any queries, you can contact me on LinkedIn, Twitter — @soham_bakore.