59 Hosts to Glory — Passing the OSCP

A few minutes after 1am on April 14, 2019, I hit enter and breathed a huge sigh of relief. On the screen in front of me was a root shell on the last of my exam hosts. I had finally achieved my months-long goal: to not only pass the OSCP, but to root all 59 hosts (54 in the labs, 5 in the exam). It had taken me the better part of 90 days to get the 54 lab hosts, but the 5 exam hosts I managed to defeat in less than 12 hours.

What follows is a write-up of my OSCP experience.

Background

I am by no means a rookie when it comes to pentesting. In fact, I’ve been a penetration tester for almost 7 years, for the most part specializing in web applications. Network pentesting, of which a significant amount of the OSCP revolves around, is not one of my strengths, making the OSCP a challenge for me regardless.

The Labs

Whether you pay for 30, 60, or 90 days of access to the labs, they are a great learning experience. With 54 hosts that are intentionally exploitable, you are almost spoilt for choice. In my opinion, while the course materials (PDF and videos) were valuable, the real value is in the labs. When I started the course, I spent about 3 weeks going over the videos and the PDF, before I even started in the labs. This didn’t end up hindering me, as I bought 90 days of access, but I would certainly recommend watching the videos and going over the PDF as quickly as you can.

The labs also encourages you to do research into vulnerabilities and their exploits. Some hosts will have dependencies (other hosts you need to exploit first), some hosts will be inaccessible until you can break into another network, some will have you tearing your hair out for hours or even days. Every host should teach you something, even if it is something small. The labs are a great way to prepare for the exam, so try to get as many lab hosts as you can in the time you have.

Enumeration / Reconnoissance

Enumeration / reconnaissance is probably the most important thing you will need to learn in order to pass the OSCP.

The reasoning is simple. Whether you are in the labs or in the exam, you know any host you are presented with is exploitable. You just have to find the right exploit. The only way to do this with any realistic chance of success is enumeration. The problem is, enumeration is hard, it’s often complicated, and sometimes it takes a long time. I hated doing enumeration, but at the same time, I knew it was the most important thing I needed to do in order to pass.

The solution, for many people, is to use automated tools (yes, this is allowed in the exam too). There are plenty of them out there: ReconScan, Reconnoitre, and bscan are all ones I used in the labs. I loved certain features from all three, but none of them did everything I wanted, so I ended up creating my own: AutoRecon

If you love one of the three other enumeration tools I mentioned, you’ll probably love AutoRecon, as I tried (to the best of my ability) to merge the three tools into one. On top of that, AutoRecon can also scan multiple hosts concurrently. My recommendation for the exam is to run it against the 4 “main” target hosts while you tackle the buffer overflow host first. Once you’ve completed the buffer overflow, you should have a load of results to go over.

Enumeration doesn’t just apply to hosts pre-exploit, it’s equally important for privilege escalation. Luckily there are lots of useful tools already out there, such as LinEnum.sh for Linux, and Powerless / PowerUp for Windows.

The Exam

After my lab time expired, I opted not to take the exam immediately. Instead, I took advantage of the 3 month time window which OffSec gives you to schedule your exam. In that time, I rewrote some parts of AutoRecon, added new checks, practiced on some HackTheBox boxes, and made sure I had refined my collection of notes from the labs. In retrospect, I over-prepared, but I wanted to take the exam when I felt ready, rather than feeling rushed.

I recorded the entirety of my exam using OBS, using a profile which recorded at 10 fps with no audio, and saved output in the mkv format. Even though I was recording three screens at full resolution for several hours, the total size of the recordings (I created a new one for each host) was under 4GB. I would definitely recommend using OBS to anyone taking the exam, as it could save you if you get to the reporting stage and realize you forgot an important screenshot.

As soon as my exam started, I ran AutoRecon against my target hosts, while I completed the buffer overflow. My plan was to get the 70 points needed to pass in the shortest route possible (25 point buffer overflow, 25 point host, and one of the 20 point host). After that I could “relax” and get the final two hosts.

For the most part, my plan worked. I completed the buffer overflow machine in about half an hour, by which time most of the AutoRecon scans had finished. The other 25 point machine took almost 2 and a half hours to complete, but now I was only 3 hours in and had 50 points. I started looking at one of the 20 point hosts, and it took me about an hour just to get a local shell. I ran my privilege escalation enumeration scripts, and saw nothing. I scoured over the results for another hour, before deciding that I should move on, and come back to this host at the end. The other 20 point host was far easier, and I got my root shell after 2 hours, which gave me the 70 points I needed to pass.

Including all my breaks (which I took after gaining a shell, after escalating privileges, or switching hosts), I was only 8 hours into the exam, so I was feeling pretty confident that I could get the remaining two hosts in the time I had left. I decided to go for the 10 point host first, and easily defeated it in just under 40 minutes. Finally, I went back to the privilege escalation of the final 20 point host. I decided to practically start from scratch, re-running my privilege escalation enumeration scripts and going over the output again, line by line. For whatever reason, the second time around, I noticed something that I hadn’t before, and after probing it a bit further, realized it was my way in. Finally, after 12 hours, I had completed all 5 hosts.

I wasn’t done yet though. Although I’d been taking some screenshots throughout, and writing detailed notes after I completed every host, I decided that with the remaining time, I should make an effort to get screenshots for every stage of the exploit and privilege escalation, just so I had them in preparation for the report writing the next day. This took me another few hours, at which point, I called it a night, and went to bed. After my exam ended, I spent a good few hours writing the report, going with a “boot to root” format instead of the one in the example report OffSec provides. I used a lot of screenshots, but I made sure to caption most, and of course, included detailed step by step instructions on how each exploit was found. In total, my report came to 44 pages.

Discord Server

One of the unexpected bonuses that the OSCP experience gave to me was the community that has developed on one of the (unofficial) OSCP discord servers: PWK/OSCP Prep

I initially joined the server after seeing an invite on Reddit early into my labs access. The server was started by an OSCP “graduate”, and there are several hundred members who either have their OSCP, or are in the process of taking it. The community is incredibly helpful, and there are always people online who can help you out, whether you have a question about OSCP itself, something more technical, or to give you hints if you are stuck on a lab host and need some help. If you are thinking about doing the OSCP, in the middle of your own OSCP experience, or even if you’ve passed and want to chat or help current students, I invite you to join us.

Q&A

I wanted to make this write-up a little different, so I asked members of the PWK/OSCP Prep discord server to pose questions which I could answer:

How do you go about enumerating web apps?

Web apps are the trickiest things to enumerate, because there is no “standard” web app. However, all web apps have commonalities, so here are a few suggestions for enumeration:

  • Use a directory / file enumeration tool like dirsearch or gobuster with a decent wordlist to try and find hidden pages. I always try the following extensions by default: txt, html, php, asp, aspx (use some common sense though; if the server is Apache, it’s doubtful ASP will be used).
  • Look at the source code of any pages you find, there might be clues hiding in the HTML comments, or references to functionality.
  • Learn to use wfuzz with payloads from PayloadsAllTheThings and fuzzdb. The advanced filtering options can easily identify potential SQL injections, LFI, etc.
  • Proxy the web app through Burp. Even though you can’t use Burp’s powerful scanning functionality in the exam, the Repeater tool will make your life easier.

How do you select which service to try first?

My general rule is: order doesn’t matter, as long as you leave the web servers until last. Enumeration of almost all non-HTTP services is pretty simple, and you can usually tell pretty quick if you’ll be able to get somewhere with a service. With HTTP, there’s so much it could potentially be. It would be a waste of precious time in the exam if you spent an hour doing HTTP enumeration, and instead there was an FTP server which was exploitable all along.

What was your time management like during the exam?

I set myself a couple of rules:

  1. I would evaluate my progress on a host every hour (if I got a local shell, I would reset the timer).
  2. If I hadn’t made significant progress on a host in 2 hours, I would move on to the next one.

More importantly, I followed these rules. If you’re at the 2 hour mark and you’re still stumbling around, it’s OK to give up. Make some notes about where you were, what you’d checked, and if you have time later on, try again.

How can I improve my privilege escalation?

Practice. That’s all you need. Learn how to use the scripts I’ve previously mentioned, try them out on OSCP lab hosts, or HackTheBox hosts, or even VulnHub VMs. There are plenty of privilege escalation guides out there you can use as well, and many more scripts.

One of the best sources I found for both Linux and Windows privilege escalation practice was the Windows / Linux Local Privilege Escalation Workshop, which contains a PDF guide, tools, a Debian Linux VM full of of privilege escalation vulnerabilities, and a batch script for Windows 7 (x64) which will intentionally misconfigure it.