Journey towards OSCP | Old vs Updated Labs | Exam Prep and Tips
Sleepless nights and stressfull days had come to an end. I wanted to share my experience on OSCP.
Background:
I have been working as full time pentester for over 2 years. Prior I was a developer for an year which is a big plus. I have obtained CEH and CND. However, getting OSCP certified was always my primary target since my graduation.(Can say 5 years of dream :-D). Many more certifications added to todo list though!.
Time Management:
Well you are right!. I am working full time and I need to manage time efficiently. So, below was my perfectly defined loop.
- 5am-9am: wakeup work with labs
- 10am work: Solve labs when having free time
- 7pm: back from work, continue with labs upto 1or 2am
- 1 or 2am to 5 or 6am: sleep
- repeat
Before OSCP:
I have been warned not to jump straight away into OSCP as it could lead to a disaster leading to waste of time and money. There are lot of pre-requisuites or we can say it as a checklist which you need to complete before signing-up for OSCP.
- CTF’s: You know it and it is not required to be a pro. You must be able to solve simple web challenges, binaries. This will be helpful when solving lab machines. I started playing with my team Abs0lut3Pwn4g3 on weekends for a while which boosted my skills. My team members helped a lot when i had doubts, thanks for them
- HackTheBox: This is where I learnt a lot. When I joined HTB i felt difficult with windows and privilege escalations. Consistently solving machines and reading writeup’s of retired machines and Offcouse watching ippsec youtube videos improved my skills and techniques. Subsequently, I acheived EliteHacker rank with 40+ pwns which boosted my confidence for OSCP. So, I highly recommend getting VIP access and solve the retired machines or reach upto prohacker rank with active machines. Reposting the same OSCP like machines as mentioned elswhere
- Vulnhub: I spent very little time here prior signingup with HTB. Since HTB had grabbed my full attention. I highly recommend solving kioptrix and metasploitable machines. Here is the OSCP like machines from vulnhub as mentioned elswhere
- Pentesterlab: Last but not the least. It contains excellent bootcamp and challenges to solve. As a pro subscriber i solved many challenges and obtained 9 badges. You can also download the VM’s and solve.
- The above things had been incorporated in my day-to-day free time and weekends and thus decided to take on OSCP.
OSCP Labs:
Old version of OSCP:
Here it begins. By January I purchased 60 days of lab time, 380 pages pdf and 380MB video course content. There are around 50 lab machines.
I need to clearly plan this according to my time mangement schedule. So I came up as below
- complete pdf and videos in 3–5 days: I noticed the video is in sync with pdf sentence by sentence. So, in parallel you can read the PDF while current topic is being taught by the author.
- solve 1 machine a day: This is somewhat strange/weird plan. doing the math to solve 60 machines in 60 days of lab time(1 per day). I have heard people just rush up solving machines as soon as they pwn one. But I sticked to 1 per day and breakdown what that machine is trying to teach. Read blogs/writeups/videos related to the vulnerability. There were exceptions where i pwned machines within 1 hour or so. In that case i would proceed with another. I used cherrytree to keep my notes as recommended by everyone.
- end of day: Never ended my day with an ippsec video before my bed time. Its a treasure of techniques and approach we can learn from.I even rewatched videos sometimes.
- Everthing went smooth upto 30 days with this perfectly defined loop untill I hit an unexpected runtime exception.
- I had a mixed feeling of whether to worry/happy/surprised. Without a second thought I just upgraded my labs and course content with the extention pack. Later, I was informed my old labs will be inaccessible in 5 days. With only 36 machines solved in 30 days(1 machine per day goal) and missing access to Admin network. I was rushed to solve the others ASAP. Pwned Sufference,Ghost,Pain in this time and while solving humble my lab was discontinued and received a latest connetion pack.
Alright lets move on to the new version of OSCP
Materials:
- 853 pages PDF
- 4.5GB video content
I can see they have worked pretty good with the content. Not less and not more. Explaining AD attacks, powershell empire, so on.. They used updated version of kali, good video edits.
I was angry when I read the privilege escalation section from old materials and when I checked that section in new one, I was completely satisfied. It clearly explains the required approach for linux and windows machines seperately. It has a good introduction to powershell empire, shell scripting, AD attacks(kerborasting etc..)
Ok, Lets get back to the Loop:
- complete pdf and videos in 3–5 days: I completed new course materials in 3 days( skipping what I learnt from Old materials)
- solve 1 machine a day: I was having trouble in figuring out the machines. All machines were upgraded to windows 10 and linux equivalent. My pivot machines got changed(ssh credentials etc..). I took 2 days to figure out the difference between what it was and what it is now. With lots of notes changes i came up with New labs which is just the new machines added by offsec in that particular network
- Pwned another 10 machines in 10 more days.
old labs vs new labs:
- In old labs the machines were running on windows vista,xp where a decade old service and kernel exploits were working and most were vulnerable to eternal blue which they recently patched. I was unsatisfied as such machines are seldom encoundered in real environments, though it was good learning them and practicing.
- When moved to new labs offsec broke the limits. It has Domain controllers and attacks related to them. No more kernel exploits(not appreciated way of solving). Here you have a sandbox machine and 3 dedicated hosts(windows DC,windows client,debian) which you can use for learning AD attacks, BOF’s and pivoting. Thus removing the burden from students end to setup the AD environment.
Post Exploitation is the key to lab completion
I was stuck in old and new lab network due to my poor post exploitation skills. At the end I learnt what needs to be done and what you should add in your checklist
- Password Cracking: Offsec has their own crackhub. You might need to use JTR,hashcat depending on the case. But never miss this step. crack the shadow files and SAM. It could be used on different machine(SSH,RDP etc.). So have a username.txt, password.txt accumulating during your pentest.
- Files: Yes, there are fishy files,notes left in some places. check their contents keep track of it and note them down. It can be used else where.
- check the log files and config files not limited to web server.
- Packet capturing also helps.
With 46 machines solved in 45 days(keeping 1 machine per day). Due to work I was forced to take up the exam prior to lab completion so I scheduled it to the immediate day at 5pm With 15 more days of lab time pending.
OSCP Student Forum:
There is a student forum which you will have access to. Students can discuss about the machines. Here you dont expect walkthroughs instead there are minor hints and it is moderated by offsec for any spoilers. And I highly recommend to stay away from the forums and only visit it when you are stuck for more than 3 hours. Just dont jump in right away for hints. However, the newer lab forums are almost empty. So you are on your own. be prepared!!
OSCP Exam
As it was unplanned, I was never prepared mentally(felt sleepy already). Connected to offsec exam network. proctorer made sure everything is fine, scanned the room and monitors in use and exam kick started.
- BOF 25 points: It is an easy one to pwn. Its a simple BOF binary. I had practiced 4–5 binaries in windows and linux prior. So in 45 minutes i was able to complete this with POC’s taken.
- 2 x 20 Point: easy ones
- 1 x 10 Point: Kind of rabit holes
- 25 point: trickiest one i sufferred
Subsequently I went on to pwn 3 more machines with POC’s within 8 hours of exam time consumed. There was no need for using metasploit.
Considering that I have passed already so I went on to sleep as it is 2am and I had only 1(25 point) machine to solve. Slept 9 hours(wasted time) and started to solve the final one. User was quite tricky took 4 hours. With only 3 hours left. I knew the attack vector and failed to gain system shell. Perfect example of what Over-Confidence can lead to. Thus, finshing up with 4.5 pwns.
OSCP Exam Tips:
- Automate: Enumeration is time consuming. from HTB forums I came up with this nmapAutomater. you can run this at the background while solving BOF and it runs all types of scans and stores the output in files. thank him later.
- Take breaks: for every machine solved or user priv attained, go out and reward yourself. stay hidrated, sleep minimal if required :-D .
- Its ok to move on: Dont get stuck, If you are stuck go on to the other machine. You might get an idea or some pointers when solving the other one or just take 15 minutes break. definetly you will get some new ideas to try out.
- POC: Remember that POC is the important one. Make sure you take appropriate screenshots and review them as soon as you complete the machine. So that there is nothing to hurry/think about at the end of exam time. Someone said you can just video record the entire exam so that you no need to worry about missing POC’s. Unfortunately offsec updated its exam guideliness to not to do so.
OSCP Reporting
I thought this would be piece of cake to complete. Literally I have taken much time writing the report rather than the exam itself. I Submitted my lab report of 43 pages with reviewing multiple times for any errors.
There are reporting templates provided by offsec. Use them for both the exam and lab reports. Yes, for lab reports you get 5 more bonus point. Do lab reports if you are not confident enough in passing the exam. It might help.
After one week I got the mail from offsec that I have passed the exam.
I wish you all the very best for your OSCP. Thanks for reading and dont forget to
