OSCP Review – How To Pass OSCP on first Attempt

OSCP – Offensive security certified professional – Penetration testing with Kali Linux is a certification offered by offensive security. This is considered one of the most challenging certifications in the field of cyber security. This is for the people who are aiming to grow in the domain of Penetration testing. In this review, I am going to share my OSCP experience and the way I prepared for the exam, my prior knowledge and I will share the cheat sheets that I used for exam. So, that you can have a brief idea of what is necessary before digging into OSCP. 


For my OSCP Review - Well, for starters – I have a little bit background in security domain, I am a Postgraduate in cyber security and have been interested in hacking from many years, but I am noob who haven’t exactly worked on exploitation stuff.   Before getting into how oscp exam and stuff – I’ll share some info on OSCP lab and Pre-requesters.  I have been planning take OSCP from Mar 2019 and felt like I need to learn a lot before going into OSCP. So, in august I bought hackthebox VIP and started cracking boxes. All the resources over the internet stated that HTB is very useful for OSCP, even I felt like HackTheBox is very useful for OSCP. Later I researched a lot about OSCP Certification, and everyone says its freaking hard and by reading all those reviews I got very excited and Scheduled my Lab to start from Dec 22nd.  


Who should take OSCP? 

If you ask me that question, I would say whoever is interested in technology or working in security domain. It helps you a lot in terms of knowledge and understanding of low-level objects pertaining to security and hacking. It helps you to adapt hacker’s mindset and you will learn the way hackers hack into an enterprise environment.  If you are working in a red team, this is a certification you need to start with. If you are tech-savy its gonna be very easy and interesting.  Also, the best thing about OSCP is once you are an OSCP, you are always an OSCP – there is no expiration date for OSCP certification. 

Is OSCP Worth in 2020?

100% yes, as the threat landscape is enlarging, all security analyst and experts should have the basic understanding of how hackers think and start their attack process. If you are a beginner, its gonna be super fun to learn new technologies and attacking techniques. Even if you are not a red team guy, there is no harm in learning red team techniques as you can use them in securing your company. 

Is OSCP Difficult?

Well, it’s not for me to decide, its based on your prior experience and based your definition of difficulty. I personally didn’t feel it too hard maybe because I prepared well before taking oscp lab. If you are a complete beginner take your time to learn some basics and complete my prerequisites stated below – you are good to go and take 6o days or 90 days lab. So, that you can sit tight and learn everything peacefully at your own pace. There is nothing too hard in this world until you try and succeed. 

OSCP Pricing:

As I worked on Hackthebox a lot (I cracked around 65 boxes in OSCP), I opted the lab for 30 Days – which costed 800$, now the pricing has changed, and it is 1000$ for 30 Days and one free exam attempt. It’s up to you to choose the number of days there is an increase of 200$ for every 30 days. 


Prerequisites for Enrolling to OSCP: 

·         Should Never Give up
·         Go crack at least 10 OSCP like Boxes on Hackthebox
·         Basic Understanding of Networking  
·         Knowledge of Bash Scripting would be very helpful to automate petty tasks
·         Basic understanding of Assembly Language & Buffer Overflow attacks
·         Knowledge on Web Penetration testing like XXS, SQL injections
·         Using Reverse Shells – very important
·         Windows & Linux Commands – Very important

My Personal List of OSCP Like boxes from HackTheBox – Lame, Shocker, Nibbles, Solidstate, Valentine, Poison, Irked, October, SecNotes, Bounty, Arctic, Bastion, red cross, Active, Bart, Jeeves

How to Prepare for OSCP before Buying the Lab:

If you have no prior knowledge on penetration testing, I would suggest you to start solving capture the flag events, the more you do, the much better it is, this way you will get accustomed with new technologies, applications, tools – there are lot more advantages of CTFs than you can imagine. I personally started with Overthewire – Bandit, Natas and it continues…  then go after Hackthebox Challenges, Rootme, pawanable.kr

After you are confident with CTFs, go after VulnHub Vulnerable machines – they are very good for practicing. Then you can go after OSCP like Boxes on Hackthebox

The final and most important thing to learn is Buffer overflow, to understand win 32 & linux 32-bit buffer overflows better – try to understand the Basics of Assembly, understand the basics will help you a lot in exploitation development phase. Learn Exploiting Slmail 5.5 manually properly. 



OSCP LAB:

When you buy OSCP lab, you get a video material of 16 hours + 853 Pages Pdf which covers all OSCP topics. You can find all OSCP Topics Here
The mail objective of cracking the machines is to capture proof.txt files from the machines, they are located in root directory of the machine and only an Administrator or a Root user of the machine can view proof.txt. if you got proof.txt of a machine – that means you cracked that machine.

I started my lab on Dec 22nd, hoping to crack a lot of machines on first day, I was able to crack my first box in an hour and I got lost in the domain. The first step of hacking is Reconnaissance – which I missed, I just randomly selected the first machine and try exploiting it and luckily it was a success. Now, I didn’t know what to do – So, I remembered Cyber Kill Chain Framework which I learned in my college days and started with Reconnaissance and slowly grasped the techniques as it’s my first time seeing hell lot of vulnerable machines in a same domain right in-front of me. I have gone through all the videos and pdf they provided in first few days cracking boxes simultaneously. So, first make sure you read all the PDF document and go through the videos. Don’t waste too much time reading the docs, just work on lab simultaneously.

OSCP Lab Environment consists of 4 Departments. Only first department is accessible at first – the more you crack; the more departments are accessible to you. Keys to these depts are hidden in few boxes. Unlocking these departments will grant you access to new machines, new challenges, new hacks.

My goal was to crack all the machines in 30 days, but I have my office (9 hours). So, I decreased my sleep time to 6 hours – I felt that is more than enough. So, I must work for 6 hours on my lab, which I did. I worked on the lab for almost 25 days, rest 5 days I didn’t get a change to touch my lab because of my office work. I Cracked 46 Machines in 28 Days and I still have 2 days left – there are lab pdf challenges, if we are to solve all of them, document each and every challenge and send it along without exam report – Offensive Security will award us 5 Bonus points – these 5 points will be a life saver if you get 65 points in the exam and if you submit your lab report – you pass. As I have 2 days left and I am not in the mood to crack machines, I started working on the Pdf challenges – I would have missed a lot, if I didn’t work on the pdf challenges then– there is a lot of learn from the Pdf they provided – I covered all the challenges in the last 2 days – took me around 20-25 hours easily to solve and document all those challenges. Do not work on the Pdf challenges at the end, please start it from the Day 1 as you can learn a lot from the doc and videos Offensive Security provided, In fact all the items provided in the docs and pdf are used in OSCP lab.

If you are not working in a red team or if you don’t have prior experience in penetration testing, I personally recommend you take either 60 or 90 days and explore more in the network. There is always more to enumerate. If you are struck anywhere you can contact OSCP support staff, they are more of a try harder gang- they will try to guide you without giving you the answer. 

Things to Remember when you are working on OSCP Lab

·         Read and complete all challenges given in PDF – its very helpful
·         Make notes of all the machines you crack
·         Make your own cheatsheet
·         Automate petty tasks – learn to use bash and powershell
·         Practice Reporting of cracked machines

What you can learn in OSCP

·         Various Windows & Linux command like tools
·         Bash & PowerShell Scripting
·         Reverse Shells/ Bind Shells
·         Passive and Active Reconnaissance, Port Scanning, Basic Enumeration
·         Vulnerability Scanning and Assessments
·         Exploiting Web Based vulnerabilities
·         Binary Exploitation - Windows & Linux Buffer over flow (My Fav)
·         Client-Side Attacks
·         Exploiting known vulnerabilities using publicly available exploits
·         File Transfers
·         Anti-virus Evasion
·         Windows & Linux Privilege Escalation
·         Password Attacks
·         Port Redirection and Tunnelling (pivoting)
·         Active Directory Attacks (New)
·         Metasploit & PowerShell Empire

OSCP Exam: My Story

As every one of you know OSCP Exam consists of 5 boxes – the boxes are categorized as 2*20 points machines, 2*25 points machines – one of which is buffer over flow, 1*10 points box – which sums to a total of 100 points and you need 70 Points to pass.
So, what’s the best bet here?  My plan is to go for 25 points buffer over flow machine first, then 10 points (as this is the easiest machine in exam and trickiest as well), then go after both 20 points machine and then 25 points machine.
I planned on taking the exam as soon as possible from the date of my lab expiration which is Jan 21st. So, I logged into exam portal and got shocked I have no room to book until 20 days. Crazy right, OffSec calendar is fully booked and I am more of a night guy and was looking to start the exam in the eve and booked it for 14:30 PM Feb 18th.

Moment of Truth Arrived, the day of exam – as usual I woke up late (11.30 AM), got ready for exam and I started 30 mins early for document verification and stuff. It took around 30 mins and my exam was supposed to start at 2.30PM and I am waiting for the OffSec team to send me vpn. I waited and waited its past 3:00PM, then I texted proctor that I haven’t received the VPN for exam. Proctor asked me to contact support and when I contacted support, I receive the vpn in 5-10 mins. Its almost 3:10 PM I guess. I lost 30 mins of my exam, I kind of tensed for a min, I calmed down in sometime and read through all the info presented 

Timeline: 

3.30 PM - started my port scanning on all the machines
It’s never good to rush. I took everything step by step as planned. Started with buffer overflow, I faced some challenges
5:00 PM -  cracked by first machine and carefully submitted the proof.txt. I took a deep breath and started reading my port scan report and started 10 Points box, it was very tricky as expected
6:19 PM – Cracked the 10 Points box, faster than expected. Now, my actual plan is to go after 20 points boxes but when I am going through the other 25 points nmap scan report, I felt like I could crack It and started it –
7:20 PM - Got the initial shell on other 25 points box, I was jumping in joy as I got 25+10+12.5=45.5 points, my feeling is like all i need is to crack only one 20 points box to pass as I have the report ready (5 Bonus points). Now, as I tampered my exam plan, I wanted to back to my original plan of going after 20 points first before going after the 2nd 25 points box. So, I stopped the 25 points box after getting initial shell and started working on the first 20 points box and at
08:43 PM - Got initial shell on first 20 Points box
9:00 PM – Rooted the 20 Points box and submitted the flag. I got up, walked for few mins, ate something
9:15 PM - Started 2nd 20 points box
22.30PM - Got the initial flag Now I am confident that I passed the exam (25+12.5+10+20+10) I took dinner break here for around 30-45 mins and got
11:10 PM - Back to game
11:43 PM – Rooted the 2nd 20 points box. The end of game, I got 87.5 Points + 5 bonus points (Assumed) – I didn’t want to strain myself more, took a break long break and chilled. I still have 13 hours left for exam + 24 hours for report writing. 70% if the time I played music to calm me down.
1:00 AM – Report Writing; As screen recording is not allowed, I started writing my report
3:00 AM - I slept for 5-6 hours
9:00 AM - I started working on privilege escalation to 25 points box, It was an unsuccessful attempt though, I was unable to crack it.
12:00 PM – Lost Connection to offsec VPN for an hour. So, I sent an email to OffSec team and they extended my lab for 1 and half hour. That was great, I got more time to work on my report writing
4:00 PM - Lab Ended.
5:00 AM (Following day) – I’ve submitted my report next day and slept peacefully.
28th Feb 2:00 AM - I got an email from OffSec saying I passed the exam and Officially I am OSCP Now. That was a very great journey, I enjoyed every movement of exam more than lab. Thank you OffSec for such a great experience. & my family who supported and helped me in every way possible to achieve this.

Tips for OSCP Exam:

1.   Check the Machine IP's
a.    Start Timer (Dont Stay on a Single Machine for too Long)
b.    Cracked a Machine - Restart the Timer
2.   Start Buffer overflow
a.    Start NmapAutomator on all 4 machines before starting BOF


3.   Take Screenshots of everything
4.    Start with 10 Points Box after BOF (25 Points); If this is taking too long, switch to a new box. Come back to this later. Document Everything.
5.   HTTP is Vulnerable Most of the times - start with HTTP
ü  Start nikto, dirb,dirsearch, dirbuster - extensions
ü  robots.txt, config.php, license.txt
ü  Try Default Creds - if the creds doesnt work - try searching for creds for sometime and move to next step as it might be a rabbit hole
ü  Try Cewl --> use it for brute forcing
ü  Check for the running application version
ü  Google the application for finding version & exploits
ü  Dont just rely on Searchsploit, search on google as well.
ü  Check Github Exploits as well, read the exploit properly
ü  Run wpscan, droopscan if they are found - search for vuln plugins, version
ü  Search for LFI / RFI - got a doubt - Check PDF/ Videos
ü  Check for SQL Injections
ü  Check for Tomcat, web.config, cgi-bin exploits

6.   Checks all ports - do a full nmap scan, if u think something is missing
7.   Don’t work on a single port for too long.
8.   REMEMBER, sometimes – you cannot fully exploit a box with just one vulnerability, you might need to some other vuln to exploit the box.
9.   Always check for nmap vulns
10. Ippsec.rocks - Search for vulnerability here
11.Check SMB port
a.    If linux machine has smb - check version and exploit it
b.    use smbclient without password and null login as well
c.    Smb SCF file exploit - Using Responder, might not be for exam

Resources:

Pre-Requesters

3)   Ippsec.rocks  à you wanna learn exploit something, search here

Pivoting:

4)   Pivoting - Port Forwarding & Tunnelling – there’s lot more on this box

Windows Privilege Escalation:


Linux Privilege Escalation:


Exploits:

15)        Reverse Shell Cheat sheet
16)        Pre-Compiled Exploits Github
17)        Exploiting MS-SQL Techniques
18)        CVE Collection Github

Buffer Overflow:

22)        Exploiting VulnServer - Captmeelo  à try all so that you have a better understanding of exploit development
23)        Linux Buffer Overflow

Active Directory Penetration Testing

27)        Using Blooghound

Others


Conclusion

Finally, OSCP is something that all penetration testers and aspiring pentation testers must do, I am really glad I took OSCP exam, it was so much fun and exciting. I enjoyed every movement of lab and exam. If you are new to red team or penetration testing, there is hell of things to learn here – but do not take it as an exam or for certification – OSCP is a journey towards trying harder and never giving up on anything. The more you try, the more enjoy and learn. If you give up halfway – you will lose a lot. OSCP doesn’t not cover high level topics, but there is a lot of learn from basics as well. OSCP can act as a turn around to the way you see security.


I thank my Family, Offensive Security Team, Hackthebox & Ippsec – a learnt a lot from you all and will keep learning 😊


Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment