Disclaimer: The thought processes and concepts mentioned throughout this article may be interpreted in different ways by different readers, that’s fine. This is not meant to be a “one size fits all” OSCP master guide in any way, shape or form. In addition, it does not aim to ruin the integrity of the exam. It is simply my perspective of the exam and includes the resources I used to help me prepare and pass it. It is beginner friendly, but it would help if you had some familiarity with HTB, THM, or any kind of CTF as it relates to tool usage. I hope you enjoy and find it helpful!
Introduction
Whether you’ve just started your first HackTheBox challenge or walked into your 40th TryHackMe room, if you’ve stepped anywhere near the Ethical Hacking space, you’ve heard of the Offensive Security Certified Professional (OSCP) exam developed by Offensive Security. This exam has earned the reputation to be one of the most “intimidating” exams in the industry for a multitude of reasons, but for now we’ll focus on three:
- Compilation of advanced practical challenges (6 total)
- Strict time constraints (24 hours for the technical portion)
- Premium price tag (1499$ for 1 exam attempt + 90 day lab access)
In addition to the three aforementioned reasons, Offensive Security announced earlier this year that they would be changing the exam environment to focus more on Active Directory exploitation — an environment most of us aren’t “used to”, to say the least (you can read about the changes here). When you consider the stakes, there’s no doubt that this exam is intimidating — but possible, nonetheless. I had the opportunity to recently take and pass the exam on my first attempt, and wanted to share a transparent preparation/approach process, that could hopefully assist you during your journey.
Exam Structure — Point Based Exam
3 Independent Targets (10 for user + 10 for root) = 20 points each
1 Active Directory Set (2 clients + 1 Domain Controller) = 40 points
Professional Report (Displaying each of your steps) = 10 points
Proctored Exam: Yes, you’re being watched and your activity is being monitored.
70 points are needed to pass.
RULES: Review them here
What’s the best way to prepare? — KISS
The harsh truth is that you won’t ever be “fully prepared”. It’s an exam full of practical challenges you have never seen before. I think we put so much emphasis on how “difficult” we think the exam will be that we forget to keep things simple (some of us tend to complicate a lot of the simple things in life, but that’s a conversation for another day). Focus on mastering your methodology and understand the phases:
- Reconnaissance
- Scanning & Enumeration
- Exploitation (Gaining Access)
- Privilege Escalation
- Command & Control (Persistence/Maintaining Access)
- Clearing Tracks (usually not necessary in CTF’s, but good practice)
Steps 1 & 2 are interchangeable depending on the environment/exam.
Some of you may group 1&2 into “Information Gathering” and that’s fine. The methodology shown above applies to the OSCP (and many others) exam structure.
“My” Thought Process — Exam Break Down
Once you connect to the exam environment, you’re given a set number of hosts: 3 standalone environments & 1 AD set (2 clients + 1 Domain Controller). Because I started with the standalone machines, we’ll start with the approach to those hosts.
What’s the most logical thing to do first? Remember your methodology. It’s no different than the steps you would take if in a HTB or THM room. If your immediate thought revolved around “Gathering Information/Scanning” — correct! Now, what will your micro-steps (tool usage) be? Here are mine (in no specific order):
PS: This is meant to be very generic, but “could” apply to one of your OSCP boxes. Obviously if there isn’t an open http(s) port, your micro-steps could change drastically, but the concept remains. I’ll leave tool usage/syntax up to you but I will provide some examples/use cases:
- Run a NMAP scan on the host — review findings. Click here for more network enumeration tools/examples.
2. If domain (port 80/443 is open), add it to /etc/hosts — navigate to the domain and run a Nikto scan in parallel to check for potential vulnerabilities. In addition, run a tool like FFuF or sublist3r to review for potential sub-domains (these are usually filled with “important” information, login portals, file upload portal, downloadable files, or some sort of login credentials within the source code). Click here for more web enumeration tools/examples.
2a. If those ports aren’t open, review the other open ports/services for potential initial attack vectors (examples include: port 21, 22, 88, 5985, etc.). Here’s how I would think:
- Port 21 (FTP): Can I login anonymously and download some files? Can I login anonymously and upload some files? — here you would be looking for some sort of information disclosure or opportunity for a reverse shell upload. (review the cheatsheet here).
- Port 22 (SSH): Can I brute force the credentials and login to the host? Was I able to find any rsa tokens, usernames, hashes, or passwords during my enumeration process that could help? What service version did I find associated with this port — is it vulnerable? (review the cheatsheet here).
- Port 5985 (Remote Management): Ah, this must be a Windows environment, let’s see if I can enumerate some credentials and use a tool like EvilWinRM to gain further access. (review the cheatsheet here).
2b. As far as brute-forcing goes, in addition to some of the common tools mentioned above, there’s one tool in particular that (almost) automated my brute-forcing/enumeration process during the exam — CrackMapExec (review the cheatsheet here). Review the links to gain a better understanding of it’s purpose if you aren’t already familiar.
3. From a Web perspective (Refer to OWASP Top 10 for clarity), consider:
- Is there any opportunity for Broken Access Control? Can I manipulate the URL to give me access to an account/directory I shouldn’t have?
- Any valuable information in the source code (Ctrl+U)? You’d be surprised.
- Is there any opportunity for Cross Site Scripting (XSS)?
- Is there any opportunity for Injection?
I didn’t experience any XSS, BAC, or Injection situations but it doesn’t hurt to be familiar with them. I would assume vulnerabilities like these would be present in the OSWE exam. Once again, it doesn’t hurt to be aware of them as you never know the environment you might receive. Heath Adams does a great job displaying what these look like in this video.
Note Taking is Critical For Success
No one is a wizard. When you have multiple hosts to scan, enumerate and exploit, it is imperative you take notes to understand (and remember) the environment. To make it easier, our friend, Rowbot has created a template for us. I used it during my exam and will continue to use it throughout different engagements/assessments — it made everything 10x easier to digest. Here’s a preview:
In addition to my notes, I had a sheet filled with certain tools, methods and syntaxes in case I forgot something. Special thanks to Sanyam Chawla for creating this.
Once again, consider this portion a refresher if you’re experienced. The purpose here was to relay the value of enumeration + research + curiosity (all while having solid organizational skills) as it relates to your methodology.
The Reconnaissance + Scanning/Enumeration (Information Gathering) phases are the most important. Use should have been taking notes up to this point and should use them to develop an idea as to what your attack surface is. Allow your findings to lead you directly into your next phase — Exploitation (Initial Access).
You’re Half-Way There!
Okay, let’s assume you’ve managed to enumerate well enough that you’ve found some credentials to brute-force with, or maybe one of the service versions on an open port was susceptible to a remote code execution vulnerability. You’ve found your path to exploitation and are now a low-level user — What’s Next?
FIND THE FLAG
4. cd into every directory and cat (if linux)/type (if windows) every .txt file until you find that user flag. From there, you’ll have to copy the flag text and paste it to the corresponding machine shown in the exam portal. Once the user flag is found, you’ve pretty much completed 50% of the machine. You’re adrenaline should be running at this point and you should be motivated to complete the rest of the machine (gain root access) — How?
The Home Stretch — Remember your Methodology!
The chances of you gaining a shell as a root user are slim. Your next focus point should revolve around the “Privilege Escalation” phase. It’s safe to say that there is more than one way to go about doing this. I’ll be reminding you about how you should be thinking below:
5. Whether one or more of the standalone machines are Windows or Linux, my first order of business was to find my next attack vector. You could enumerate information about the system manually by looking for additional users, reviewing running processes, cron jobs or potentially out of date software, looking for kernel exploits, etc — but this will kill the clock. I automate this “micro-step” by using a tool called WinPEAS (if windows) or LinPEAS (if Linux) — the results can be overwhelming initially. Use this checklist to give you an idea of what you should be looking for. The results from either one of these tools could be imperative in your path to gaining root privilege. Follow the tool usage and review EVERYTHING in red. Also, if it’s not obvious by now, you’ll have to be familiar with transferring files/software to and from the target machine — review this cheatsheet to consider your options
5a. In addition to fishing for vulnerabilities, you could also trying dumping credentials, hashes, or tickets using Mimikatz. Hackersploit does a great job showcasing examples here. In addition, use this cheatsheet to assist you with the syntax. Mimikatz results (or any credential you find for that matter) could be used/re-used for privilege escalation or lateral movement — we’ll touch more on this later in the Active Directory section.
Once again, there’s more than one way to skin a sheep, but the examples discussed here were applicable for me during my exam. Abusing file permissions, taking advantage of OS or Kernel-level vulnerabilities and combining some of the tools mentioned should bring you closer than you think to achieving root user. Easier said than done, but I was able to root 2/3 of the standalone machines simply by following the methodology discussed here.
TAKE BREAKS
I shouldn’t have to say this again, but I will — document and screenshot all of your findings! Not only will you need them for your report, but keeping your artifacts could save you from having to back track — and you want to be as conservative as possible with your time. Speaking of time, this is the perfect time to remind you to take a break. Try to rest for “at least” thirty minutes after rooting a machine (depending on how much time you have), or even if you find yourself stuck on the same problem for a few hours. Take a break, clear your mind, then continue.
It took me about 5 hours to root 2 of the standalones. I kept a mental note of the amount of points I “technically” had. Each standalone is (+20 pts) considering you’ve compromised the user and the system. I was at 40 pts + 10pts (assuming my report would be sufficient) which placed me at 50 total. I decided to use this to my advantage and take a nap (my exam started at 11pm EST, yes, I was tired). I knew when I woke up, I would spend the rest of the day focusing on the AD portion of the exam. I napped for about 4.5 hours and began my exam again at promptly 8:30 am.
BE PREPARED FOR THINGS TO GO WRONG — Murphy’s Law
If you’re not familiar with Murphy’s Law, I suggest you do some research — if something can wrong, it probably will. 20 minutes into my exam (after my nap), my power went out. I did what anyone would do in this situation. I panicked. However, I came to my senses as quick as possible and decided to email Offensive Security Support from my phone. I explained the problem thoroughly and by the time I pressed “send”, my devices were back online. I explained to the proctor what had happened and they were very understanding. I took a few more minutes to get my head together then continued my exam.
Active Directory Set
This is probably why you’re here. Let’s get right into it.
PREPARATION
In terms of preparation, there’s probably no better way to prepare than going through TCM Security’s Practical Ethical Hacking Course (watch the first 12 hours free)and, if you’re ready, to actually take the PNPT exam. The course will not only teach you how to build your own AD environment (which is invaluable), but it will give you better insight on common attack vectors and misconfigurations. Another great resource is the TryHackMe Offensive Security Path (great especially if you’re a beginner). In addition to the aforementioned resources, Offensive Security includes a decent amount of labs that will walk-through each phase of exploitation, as well as some “Proving Grounds” boxes to practice on. To practice in a more “CTF” style environment, try some of the HackTheBoxes below:
EXAM STRUCTURE:
2 Clients + 1 Domain controller. This portion is worth 40 pts.
APPROACH:
To keep the integrity of the exam, I won’t go into detail about where you “start”, but I’ll say this — The standard “methodology” & “micro-steps” you applied in the standalone environment(s) are relevant up until it’s time to enumerate the environment & move laterally/escalate privileges:
- BloodHound: Displays visual of AD environment
- CrackMapExec: Do Some Research
- Impacket: Great for abusing Windows Network Protocols
- LinPEAS: Displays Lin Priv Esc Vectors
- WinPEAS: Displays Windows Priv Esc Vectors
- PowerView: Allows for enumeration of an AD environment
- PowerUp: Displays Windows Priv Esc Vectors based on system misconfigs
- Mimikatz: Credential Stealer
- Chisel/SSHuttle: Port Forwarding (pivoting)
- Any hash cracker: Self Explanatory
These will be your best friend’s when exploiting Active Directory.
Assuming you’ve successfully gained a foot-hold into the environment, one of the first thing you’ll want to do is get a better understanding of what your escalation path would be. The tool that comes to mind for me is none other than BloodHound (HackerSploit does a great job of showcasing BloodHound capabilities in this video). Once you have your “path” in mind, it’s time to think of ways to move — remember your “micro-steps” from earlier. Check for accounts, file permissions, and running services to see if they have some value (you could potentially automate this with a tools like PowerView & PowerUp). If you are unable to download files and your automated approach doesn’t work, spin up power-shell and begin your enumeration manually. Here’s your cheatsheet. If you still need some assistance, watch Joe Helle enumerate AD like he created it.
There could be a plethora of ways to move around the environment depending on your findings. Conduct thorough enumeration, review your findings, and think about how all of your tools could be used collectively to successfully compromise the domain controller (zux0x3a was nice enough to include most of the attack vectors here).
Conclusion
How can you “master” the methodology? — Practice!
Some of you might have just passed the eCPPT, CRTO, PNPT, eJPT, CRTP/E, solved a bunch of HTB/THM Rooms or even competed in CTF’s — that’s practice! You can never practice “too much”. To do any of what I just mentioned, you’ve applied the methodology (whether you realized it or not), now you just have to repeat it in different environments until it’s embedded into your thought process and you’re comfortable. The only thing that will change in between each phase, are the micro-steps (tools you use) you take to gain low level user and eventually root privileges!
My Score (If you care):
(2) Standalone Machines rooted: +40pts
AD Set Rooted: +40pts
Professional Report: +10pts
Total: 90 pts
My objective was to pass. Once I was confident I had done that, I reviewed my screenshots/notes once more and ended my exam. No need to stress myself out more than I already was.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
If you made it this far, I’d like to thank you for your time. This is my second article and my only wish is to help more people in this space. Again, the purpose of this article was to familiarize (or remind) people of how important the basics are. Often times we feel “lost” (I still do), and it could be discouraging seeing everyone else “master” a concept or acquire a certification — especially as “important” as the OSCP. I hope everyone reading this has found it beneficial, and I wish each and every one of you success during your journey.
As promised — KISS (Keep It Simple S***id)
If you’ve enjoyed this guide, be sure to checkout a similar article by GromHacks: “Guide to the 2022 OSCP Exam on M1 (with Active Directory)”
If you need clarification on anything, feel free to connect with me on Social Media:
Twitter: https://twitter.com/whoisPremier
Discord Server: https://discord.gg/5q5PmCRmBA
-0xP
