MY OSCP JOURNEY (June-2020)

It started about four months back when I came across OSCP on a similar blogging site, and I was naturally drawn to it being myself a penchant Pentester. What began next was grueling months and days of hard-work and

Now I am here inspiring the next set of hackers to take up this fantastic learning experience and how to embark on a journey to Offensive Security Certified Professional.

Background

I graduated in Computer & Communication Engineering from the prestigious Manipal institute of technology in the year 2019. Currently working as a Cyber Threat Analyst in NetEnrich, Bengaluru but a significant chunk of my job is pentesting customers Infrastructure. PenTest is something I am very passionate about and have been doing this for the last 3+ years, as a hobby then professionally.

GOING BACK……..(in time)

My colleagues and good friends motivated me to take up the challenge.

Setting goals:

1. To complete VulnHub and the Hack the Box (OSCP like machines) by the first two months.
2. To complete PWK labs.
3. Improve my weak zones being active directory and windows privilege escalations.

OSCP like machines

MY JOURNEY

Pre PWK (Hardest phase of the journey):

The first day…. I sat down with a steaming coffee cup and some biscuits resolving to hack the first VulnHub machine. The coffee went cold, and biscuits lay uneaten, my spirits were lowered. The first failure didn’t matter to me. I sat down the next morning with a fresh perspective, read some walkthroughs from the internet, and successfully hacked the machine but could not develop a methodology for the same. I came across this youtube channel IppSec, whose videos helped me really to establish some rules. Since I was weak in windows boxes, I did these two courses :

1. Attacking and Defending Active Directory Lab by Pentester Academy
2. Windows Privilege Escalation by Tib3rius ⁣

I would recommend these courses to anyone who is a beginner in Active Directory, windows privilege escalation, respectively.

For someone who is weak in linux priv esc should go through :

https://www.udemy.com/course/linux-privilege-escalation-for-beginners/

PWK

I felt ready to start doing the PWK course. For those who don’t know, PWK has a course material + practical labs to allow yourself to practice those skills. I bought a 2-month lab subscription and exam, which you can get for $1199. I completed the materials in 10 days and made sure to maximize my lab time. Labs seemed natural to me because they were similar to the machines that I have done in HTB and Vulnhub, except the “big 4” and a few other exceptions. If you get stuck, then take hints from PWK forums. The key is to keep making notes of the learnings from each machine and update your methodology. At the end of two months, I was able to crack 41 boxes. To keep records, I used Cherrytree, and for automating enumeration, I used AutoRecon

One day before the exam…………………………………………

I practiced privilege escalation for windows. I revised the strategies I developed for the next day:

1. Complete Buffer overflow within two hours.
2. I allotted one hour for the easy machine, six hours for two medium boxes, and six hours for the hard server.
3. Six hours of sleep.
4. Three hours for collecting screenshots and completing notes.

EXAM DAY…………..

I woke up at 10:30 am, had my breakfast by 11:30 am, and set up my secondary monitor. The exam was scheduled at 12:30 pm. It is a proctor based 24-hour test.

I was able to crack the buffer overflow in 1 hour and just took half an hour to break the easy machine, by the end of which I acquired 35 points. I became confident, as I was progressing with ease.

Soon after taking lunch and a break of 10 minutes, I started with the medium machine, where I got stuck with local.txt and could not get SYSTEM privileges. I found a privilege escalation path, but that track always took me to the same user’s rights. I wasted 3 hours going through the same path repeatedly since all the hints were pointing towards the same. It was 6:30 pm. Therefore I decided to move onto the other medium machine. I managed to get a few passwords, but I went nowhere with those passwords, another 3 hours wasted. My PCs got slow, btw Make sure you have around 16 GiG ram and 3 GHz processor because the proctoring software used by OffSec takes a lot of resources. I informed the proctor that I would be rebooting my pc and also the VPN connection.

Blood bath😭

After restarting, it was around 10:00 pm. I decided I won’t go to sleep until I have enough points to pass my exam. So I started with the hard machine. Getting a foothold on this server was very easy, weirdly, and I thought to myself if I am somehow able to root this machine, then I would clear the exam. But that didn’t happen that easily, I fell into a rabbit hole and wasted 4 hours, I went back, looked at my privilege escalation outputs and found that it was straight forward to escalate to root. I was relieved (70 Points! finally), 2:00 am on the clock. I wanted to make sure that I have more than 70 points so that even if I mess up a few things in the report, then also I shall pass. I felt damn sleepy, so I slurped down a few cans of RedBull. I would not recommend this to anybody, but things we do for hacking.

Not Recommended.☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️☠️

I started digging into the medium level machines again. Soon enough, I rooted the first medium machines and got a basic shell on the other. It was 6:30 am, and I decided to stop hacking and started to complete my notes since I had enough points on the board. I double-checked if I had all screenshots of ipconfig ifconfig proot.txt local.txt required for the report and ended the VPN connection/Exam at 8:30 am on the second day.

I had to attend my office meeting at 12:30 pm on the second day, and hence I started writing the pentest report before the meeting and since the memories of the hack were fresh.

I was nervous between the post-exam and the result phase. I kept thinking, did I put enough information in my reports. Did I miss any vital screenshots? Did I compress the story in the correct format because I heard one guy failed the exam just because he didn’t use 7z format for compression, even though he had 100 points?

On 30th June, I got an email from #OffSec team. Yaaaaay!!

Email from offensive-security

Few Tips for Exam:

1. There are rabbit holes made just for you to get stuck. Don’t cling yourself to one path.
2. The Foothold for all the machines in the exam were easy if you know Google-Fu properly.
3. Practice buffer overflow from the OffSec material which will suffice even if you don’t have previous knowledge of this topic.
4. Maximize your lab time. Materials you will have forever but lab time is limited.

Acknowledgment:

1. IppSec: This guy helped me from his walkthroughs.
2. Tib3rius ⁣: His AutoRecon tool saved a lot of time during the exam.
3. Abhishek Bhuyan : for his continuous support.
4. Srikanth Suresh: My mentor, who always pushed me to try harder.
5. My Girlfriend: who loved and supported me through the process, and helped me to design and write this blog.