Post

Offensive Security Certified Professional (OSCP) Course Experience

I am finally an OSCP!!

In 2015, I started thinking of taking OSCP certification. After reading OSCP failed attempts stories on the Internet this course started to scare the hell out of me, so ended up getting EC Council CEH Certification. But My hunger for OSCP level knowledge and certification pushed me to enroll in OFFSEC in 2016. I was basically a n00b while taking OSCP labs and still is. While Googling I stumbled upon metasploitable vulnerable vm and vulnhub.com. Excitingly downloaded the VM and trying to crack the machine. I couldn’t get anything!! At times I have been nmap-ing multiple vulnerable machines for hrs and end up in failure. A lot of my experience came from self-education, spending countless hours on google, infosec blogs, vulnhub writeups for learning new tools and techniques. I try to avoid books and think that Videos and Step by step live or online tutorials is the best way one can learn this doesn’t mean books are useless, they have very good tips & tricks and personal and public experiences written by book writers. Much of what I learned is install/test anything on my windows(XP, 7-32bit,64bit), UNIX(FreeBSD), Linux(Ubuntu,Redhat) vms.

Course

OSCP is one of the best practical examination for Pentesters. Basically, this is a journey.

I opted for 90 days of OSCP Lab Course. You’ll be provided with course materials, 8-hour Offensive Security PWK course videos, 375 pages Ebook (Exercises after each section) and VPN for lab access which has 50+ machines to hack in the Public domain. Once your lab time starts which will be mentioned in your email by the offsec team you can’t stop Lab time. btw one can request offsec team if they have any serious problem and can’t continue.

Instantly started going through Videos and PDF as soon as the course material landed in my mailbox. As I am not a fan of book reading, started with the course videos. After completing some of the exercises which was quite easy to understand so jumped to OSCP LAB immediately thinking I can start pwn-ign machines but failed to get anything. Retrying again ended up in failure. Started reading PDF, found that there are exercises to do and spent some time it. My biggest mistake was not documenting any exercise (btw if you submit well-documented exercises and lab machines along with exam report you will be rewarded 5 points in an exam). My recommendation is to use Evernote/OneNote/Github Repos to document scan results, screenshots, attack vectors, exploits.

It was the second month where I was able to get one low hanging fruit (Machine) and for 10 sec felt like “hacker”. For this machine I got the admin access directly. For some machines, you will get low-level service/standard user access one must escalate privileges to root/system/admin access and for some admin/root/system access at the first stage itself. Just make sure you do enumeration on all machines to get flags/information related to other machines in the lab. Don’t forget to take a note of proof.txt file containing the md5 hash (accessible by admin/root) and the local.txt file containing the md5 hash (accessible by low-level standard user/network). I was informed by other offsec guys to Join #offsec IRC channel, here I was taught that one must ask questions related with topics not discuss the particular machine and ping admins if needed help. Don’t expect Admins helping you a lot that’s how this course is set up. For some concepts/methods/tools, it took 2-3 days to find, understand and work with it. Every Machine tested was meant to test or teach you different attack vectors and skills. Sometimes failure to find vulnerabilities or understand the machine makes me feel to quit. Try Harder !! is the answer here.

Try hard, get back to basics and start enumerating again. A couple of weeks passed by and I was able to get r00t on more machines 20 machines but by pain,sufferance, and difficulty. (I know 2 of them are Lab machine names)

Note that OSCP Course doesn’t provide you with everything you need to know. The Course is there to teach basics you need to start enumerating and attacking. Search and learn yourself through Google.

At times I was tired of typing msfvenom shells commands so felt the need to fix this so created a small script to make my work easy. This actually made me happy because the usage of “if, else switch cases” which I learned in school. Later found a better script by g0tmi1k but I prefer to use my own because of easiness. So if anyone knows to bash scripting or programming they can automate their work. Whenever I am stuck on any VM, ran Metasploit, openvas scanner and was able to crack machines with those results. Make sure you practice manual methods because the use of vulnerability scanner and Metasploit is banned in the exam.

Buffer overflow is one of the topics that I think offsec did a very good job at explaining it. I did found some of the basic stack BO vulnerable apps thorugh googl and succesfully exploited them.

As soon I got r00t on some of the hard machines like pain, fc4, I was confident that I will be able to crack the exam and ooked my exam date. I am not kidding this exam was intense and gave me a hard time. Except for 2 machines I was not able to get or understand anything else. Even after planning, I was shocked to see how my brain was failing to follow that routine. I think the main reason was I didn’t get enough sleep the night before, didn’t take any breaks or nap during the exam because the whole focus was to not fail the exam. This was a horrible mistake. Eventually, I received an email from Offsec saying I failed. I realized I am not ready for OSCP decided to learn, understand and practice more but this failure led me to avoid that practice. After a while, I got a full-time job which made me lazy enough that I was only reading walkthroughs of vulnhub vms.

Somehow I found hackthebox - An online platform to test and advance your skills in penetration testing and cyber security. Started hacking vms with my colleagues. Motivation to hack hard vms, Try Harder mentality and to reach in top 200 hackers pushed me to pursue lab for a month.

A month past by and decided to book the exam and I was able to get the points needed to pass the certification, Documented and sent the report to offsec. After 12-16 hrs received an email I had been obsessing over since submitting the report saying that I failed again. I went crazy and started checking my report where I did a mistake and kept pinging, talking offsec admins about this. Rechecking report I found that Metasploit meterpreter was used by me on multiple vms. As far as I remember there was no clear statement on Metasploit meterpreter(I may be wrong). still, felt like a stupid guy. Now Offsec did a good job of writing in more than 2 line that one must not use Metasploit meterpreter on multiple machines.

In the final exam, my aim was to not touch Metasploit related things on multiple vms and until I got passing points. I was able to pwn 4 machines in 16hrs then I kept enumerating 5th one but I was so tired to continue and inside I knew had enough points to pass. Wrote the final report and sent it to offsec and next day I received an email saying:

We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.

Resources for learning

  • Learn Linux and also get online certificate. https://www.edx.org/course/introduction-to-linux

  • Overthewire Games - Bandit (Linux Beginners) and NATAS (Web Applications) http://overthewire.org/wargames/

  • Explainshell - Dont just copy any commands from google/blogs instead wriet down you command on this webpage to see text that mactches each argument. https://explainshell.com/

  • Nmap Cheatsheet https://highon.coffee/blog/nmap-cheat-sheet/

  • How to prepare for OSCP by Abatchy https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob.html

  • Step by Step Detailed guide by Tulpa (Highly Recommended)

    https://tulpa-security.com/2016/09/19/prep-guide-for-offsecs-pwk/

  • Sushants Total OSCP Guide

    ( This is the ultimate guide, I coverted to pdf and always have it on my phone)

    https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html

Privilege Escalation

  • Basic Linux Privilege Escalation https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

  • Reboot User Linux Exnumeration Script https://github.com/rebootuser/LinEnum

  • Securitysift Linux Privilege Checker Script https://www.securitysift.com/download/linuxprivchecker.py

  • Nebula Exploit Exercies for beginner. ( Official Site is not working) https://www.vulnhub.com/entry/exploit-exercises-nebula-v5,31/

  • Pentesting Cheatsheets https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/

Windows

  • Windows Exploit Suggester https://github.com/GDSSecurity/Windows-Exploit-

  • Windows PrivEsc Checker https://github.com/pentestmonkey/windows-privesc-check

  • SysInternals (Download the latest and old version) https://docs.microsoft.com/en-us/sysinternals/

  • Windows Privilege Escalation method for pnetester (Windows) https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

  • Level Up! Practical Windows Privilege Escalation - Andrew Smith https://www.youtube.com/watch?v=PC_iMqiuIRQ

  • Encyclopaedia Of Windows Privilege Escalation - Brett Moore https://www.youtube.com/watch?v=kMG8IsCohHA

  • Windows Privilege Escalation Fundamentals http://www.fuzzysecurity.com/tutorials/16.html

  • Windows Local Privelege Escalations https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md

  • RiyazWalikar Windows Privelege Escalation https://www.slideshare.net/riyazwalikar/windows-privilege-escalation

Shells

  • Pentestmonkey Reverse Shell Cheatsheets http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

  • Creating Metaploit payloads shell https://netsec.ws/?p=331

  • Spawning a TTY Shell https://netsec.ws/?p=337

  • Upgrading simple shell to fully interactive shells https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

  • Kali webshells package https://tools.kali.org/maintaining-access/webshells

  • G0tmi1k’s MSFVenom Payload Creator https://github.com/g0tmi1k/mpc

  • MSF-Payload-Generator-Script (My Own Basic version) https://github.com/r3dg33k/MSF-Payload-Generator-Script

Exploits

  • AusJuck Privilege Escalation Exploits https://github.com/AusJock/Privilege-Escalation

  • Kernel exploits Linux https://github.com/lucyoa/kernel-exploits

  • Windows Kernel Exploits https://github.com/SecWiki/windows-kernel-exploits

Buffer Overflow

  • Stack Based Buffer Overflow Tutorial, part 1 – Introduction https://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-introduction/#gref

  • Exploit writing tutorial part 1 : Stack Based Overflows https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

  • Vulnserver – TRUN command buffer overflow exploit (My Recommendation) http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/

Extras

  • G0tmi1k’s OS scripts which update your kali OS to kali rolling, install zsh and many more improvements. https://github.com/g0tmi1k/os-scripts

  • Terminator or tmux (Arrange multiple terminals in grids on single tab, multiple tabs, lots of keybaord shortcuts and much more) command to install - sudo apt-get install terminator

Enable the Logger plugin to log all keystrokes within each terminal.

https://www.youtube.com/watch?v=mMak2VzRbmc

  • Tmux tutorial https://www.youtube.com/watch?v=Lqehvpe_djs

  • Exam Guide - offsec https://support.offensive-security.com/#!oscp-exam-guide.md

Practice Labs

  • VulnHub
    1. Kioptrix 1-5
    2. FristiLeaks: 1.3
    3. Stapler: 1
    4. PwnLab: init
    5. Brainpan: 1
    6. Mr-Robot: 1
    7. HackLab: Vulnix
    8. VulnOS: 2
    9. SickOS: 1.2
    10. SickOS: 1.1
    11. SkyTower: 1
  • HackTheBox
    practice on old VMs

Overall, I enjoyed the course. It certainly is the best hands on course I did experienced.

Below are just some of the people I mentioned helped during my learning period and encourage me to write the blog post. thanks to all of you

Offsec Team and Admins
Fraz3r
Sh4f!
Raghu
Bachi Babu (for asking me twice to write this post)
Some of the people from hackthebox chat channel

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.