The only OSCP advice you will need!!!
In the following article I would like to share my journey into obtaining the Offensive Security OSCP certification. My goal is not to re-iterate what has been already said but rather give a more tailored advice to the potential pursuant of this certification. What I can tell you right of the bat is that the entire process is very rewarding after you will go through it.
The Lab
The PWK training course comes with videos accompanied by a PDF guide. Go through both the videos and the PDF, do the important exercises (ex. buffer overflow) and take proper notes (ex. KeepNote, OneNote, plain ATOM with markdown, are fine). The famous lab environment is meant as a playground for the OSCP exam taker. 90 days lab access should be enough to go through most of the public network machines. Once you get a glimpse on the techniques you start poking the lab machines.
Structure your work
It is important to have a proper write-up of the lab machines and work in a structured manner. By doing so you train yourself into drafting proper reports and it will help you a lot later in the exam. Make sure you include all necessary proofs and code snippets, commands, screenshots for each step of the process. (Ex. Step.1 info gathering,2. enumeration & reconnaissance , 3. exploitation, 4. privilege escalation,5. post exploitation). Try to reproduce the results by going through the write-ups in order to validate their quality.
IMHO it’s not worth it to lose precious lab time for doing the lab report as it requires quite some effort and you’ll get only 5 points in the exam.
Lab/exam logistics
Port scanning information management:
Metasploit is great tool for managing portscan information of the lab/exam targets.
#Start the postgresql server
root@kali:~# service postgresql start
#Enter the metasploit console
root@kali:~# msfconsole
#Create individual workspaces for lab / exam
msf> workspace -a lab_network (public/IT/ dev)
msf> workspace -a exam_network
#Switch to a particular workspace. All the scans will be saved in this context
msf> workspace lab_network
#Remove workspace
msf> workspace -d lab_network
#Scan the ports of a target and save the outputs into the db
msf> db_nmap -sVV -p- -A -T4 <IP>
#Retrieve the list of available machines from the db
msf> hosts
#View the open ports/services of a particular machine
msf> services -u <TARGET-IP>More details here: https://www.offensive-security.com/metasploit-unleashed/using-databases/
TIP: Privilege escalation is the key to both exam and lab!!!
There are no restrictions on using Metasploit in the lab but in the exam it’s allowed on only 1 box.
My recommendation is to use Metasploit throughout the lab but without the meterpreter payload. In this way you will be able to learn better the art of privilege escalation (meterpreter trivializes privilege exploitation & post exploitation.). All the lab/exam boxes are meant to be exploited using different exploits and techniques.
TIP: Read carefully and replicate the steps from the write-up provided by Offensive Security for the Alpha box. Adapt your techniques accordingly.
TIP: Enumerate more means: Scan ports, scan all the ports, scan using different scanning techniques, bruteforce web dirs, bruteforce web dirs using different wordlist and tools, check for file permissions, check for registry entries, check for writable folders, check for privileged processes and services, check for interesting files, look for a more suitable exploit using searchsploit, search google for valuable information etc.
TIP: Don’t forget to revert your lab/exam machines.
The EXAM
Sleep well the night before.
Fix the structure of the report and add as much information as possible to the report template and to your notes prior to the exam. Things like: general statements, placeholders for information to be added, buffer overflow steps etc.
Start early in the morning with the targets that will yield the highest number of points (25). The goal is to obtain at least 50 points while you are still fresh and your brain still functions :). Continue with the rest of the machines .
Stretch your back and take breaks, eat well, have snacks and drinks.
Valuable resources that you should consider:
https://xapax.gitbooks.io/security/content/
Follow the steps in these two playbooks:
https://github.com/xapax/oscp/blob/master/linux-template.md https://github.com/xapax/oscp/blob/master/windows-template.md
Privilege escalation:
http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ http://www.fuzzysecurity.com/tutorials/16.html