My OSCP journey Tips&Tricks
1. Introduction
Hello everyone
Today we are going to discuss about Offsec Certified Professional certification or aka OSCP and how you can beat it based upon my experience.I passed the oscp exam in my first try with 100/90 points
without Metasploit. I overkilled the exam if you want to take lessons from my mistakes/experiences hang thigt and grab a coffee.
1.1 Whoami
My name is Firat ,I am 21 years old. My interest in cyber security is from my childhood. I left the school when I was 15. I believe it was waste of time ,we (I) was learning nothing useful from there so I decided to leave the school and focus the improve myself. But things weren’t that straightforward ,someone needed work hard to bring food on the table.
I always tried to educate myself about how the things works ,seeing the big picture ,understanding the reason behind it.. I had a special interest about how to infiltrate the systems and exploit vulnerabilities so I started with learning programming. At the age of 17 I was fluent in Python ,I applied a job which required me to learn C# ,I did my internship in that company. for 3 years I worked in a restaurant and was trying to improve myself in my free time. Following 2 years I worked in a hotel as receptionist and other different roles.
1.2 How it started
I was hearing OSCP from every major player in the industry they said it’s challenging and worthy. I convinienced myself to take the OSCP ,to prove my knowledge to myself and earn industrial recognition. So in my last year at Tourism I was saving money up for my oscp.
When I look back to that time I am glad about this decision. Since I focused on OSCP ,things started to look organized. I believe overall it was a great opportunity to learn more and improve my skillset.
2. Preperation
2.1 Pre-preperation
I started my oscp preperation back in november of 2022 in my first month I did nothing but watching ippsec/john hammond videos. I was taking notes about every video ,what they are doing ,how they are doing and exploring the unintended routes. The reason behind this is to make the methodology as a instinct. I was trying to make it as a reflex and I guess I succeed on this.
but before even beginning to pre-preparation ,I had fair amount of CTF experience so I had my basics.
In my second month I started to work on TjNulls vulnhub list. I finished 60~ machines in a month and wrote short writeups about all the machines I solved. Overall I think this was the most enjoyable month for me. I improved my notes greatly thanks to those challenges.
Once I achieved my goal on vulnhub I moved on to learn BoF ,I gave myself 15 days to master it ,thankfully after that time interval I felt comfortable about Buffer Overflow but sadly this is when offsec removed this from the exam structure. You can guess how I felt about it :D
After BoF I gave myself 10 days to understand the basics of the Active Directory. What is it ,how it works etc. I used HTB Academia. I love their technique to teach stuff. They teach you how to Administer an AD environment and how things works before trying to crack it.
This is when we have been hit by 2 massive earthquakes (I live in Turkey/Diyarbakir) we had to leave the city. I was afk for a while.
When the things settled I resumed my study. I bought a month of membership from CyberSecLabs to start applying what I knew about AD and practicing it but in my 3rd day of membership they announced this:
My vpn doesn’t working as well because of certification expire. So I decided to move on to the next stage. THM subscription.
I finished almost every path from there and ranked as 59th in Turkey
But my main focus was Active Directory ,I knew if I fail that part in the exam I’ll most likely fail it. So I finished every single room in the TryHackMe regarding to AD (except the Insane ones)
once I was done with THM ,I moved on to the next stage : HackTheBox
at that point I knew I have enough experience about linux machines but I had very few experience about windows. So I focused on the TjNull’s HTB windows list and ignored the linux list.
I was writing short writeups for Hackthebox as well. “Anything you don’t write it down flies away” this is the lesson I learned in a hard way.
I tried to solve as many HTB machine I can but pretty much like THM my main focus is AD in here as well ,so I started to solve AD-101 path from hackthebox ,they are great but in my opinion overkill for the oscp.
At this point I was drawning in my own notes. So once my vip membership expired on HTB I gave myself a week to rest and orginize my notes. Lastly I made a Pivoting schema for chisel as well as Windows and Linux Priviliege Escalation mindmaps based upon my experience so If I was ever stuck on any step of PrivEsc I had a road map to follow. Here they are :
2.2 Preperation — The PWK Time
2.2.1 Exercises
I bought PWK in 15th of june ,in the first 2 weeks I finished KLCP (but I didn’t have exam voucher) to make a solid base for oscp. In my opinion KLCP has nothing to do with Pentesting it’s a certification for a linux based operation system so expect nothing more
Untill the last month of my pwk subscription I did read the pdf ,watched the videos ,solved the exercises and spent some time with Offsec Academia. Once I hit at least 80 percent of every module I started to work on the Challenge Labs
2.2.2 Challenges
Once I joined the challenge labs room of the offsec discord I felt lost :D we only seen 1 machine at one time but here in the challenge labs things are not that simple. There are subnetworks in challenges and you can’t revert one machine ,you can only revert entire challenge. That was a problem ,that means you need to exploit same vulnereability once again and setup your pivoting for your each try.
But pretty much like anything else ,once you have experience you can deal with it just fine. Challenge labs weren’t a nightmare for me. In fact I was enjoying it so much. Offsec did a great job on the challenge labs I believe. It’s realistic and still fun to play. Those were great times I still miss it :(
As what offsec says “Challenge labs can be seperated into two part : First 3 labs are Scenario and last 3 labs are Simulation”. I solved every Challenge labs at least twice in a month (except Skylark). The key thing here is I prepared full professional report for OSCP-A,B,C I highly recommend you the same. In the end you solved only a CTF if you cannot write an Exam report as how offsec specified since it’s very strict and doesn’t forgive.
3. The Exam
Unfortunutly in where I live you may experience random electrical cuts so I was afraid of the same thing that it might happen in my exam day. So I called the power distribution company and asked for the day I am intended the take my exam they said “No sir ,there’s no any kind of planned power cut or maintainence” to make things sure I told them to message me 30 minutes before any power cut in my district and indeed they sent me the messages so I knew I had 30 minutes to switch the power source.
3.1 Pre exam preperations
Once my PWK bundle expired I bought Proving Grounds Practice and tried to solve the machines from there. At this point I was feeling the burnout, since I was studying 100~ hours per week my last month I was very much sleeples and tired of all this stuff. So I couldn’t evaluate my PG Practice subscription like any other subscription I bought. But still I finished all the intermediate boxes and wrote my writeups about them.
I made a Todo list before taking the exam ,things like “buy a backup IPCam, solve this machine once again before taking it”. I did my shopping the day before the exam ,bought the redbulls and snacks. The night bofore the exam I was so nervous. I knew I have what it takes but you cannot control this feeling right? so I watched a nice movie ,tried to chill. Since my exam was scheduled to 9 AM of tomorrow I headed to bed at 10 PM but couldn’t sleep untill 2 AM no matter what I did.
3.2 Big Day
I woke up at 6 AM ,prepared my breakfest ,went to the bathroom and took a cold shower ,sat to my exam desk at 8 PM to check all my notes ,made sure I have all I need.
After that I started to create my exam environment, I used 4 workstations ,first one is for AD and vpn connection and rest of them for 3 stand alone. Launched my webservers , and all other stuff to not waste any time during my exam.
I created a file named syntax.txt to hold most common tools’s syntaxes. So I won’t waste time to remember the syntax for an exact tool. It helped a lot ,you can find it here
I logged into proctoring interface ,showed my room ,exam desk they OK’d. Then the Id confirmation step ,it took little longer then it should. By the 9:10PM I started my exam
3.2.1 AD Set
Before beginning to my exam I reverted whole exam set once to make sure things are setup correctly. Once that is done fired up my auto-enumeration scans ,nmap and web crawlers to avoid wasting time while I was reading the “Objectives” from the flag submission panel. I made sure I fully understood that. When that is done I proceed to manually enumerate first AD machine I couldn’t get my foothold nearly 5 straight hours ,I had an alarm for beginning of the each hour to rest 10 minutes.
I was working on my exam the same way I was working on oscp-a,b,c I had hostnames, IP addresses ,next to them ports ,next to them a brief explaination of what it might be. I was writing down exactly what I found at what time. Bottom of that I had my detailed notes about each machine what I tried and what I didn’t. Below of that I had credential area for each machine like this“hostname-IP:username:hash:password”
I tried literally everything in my notes ,everything I knew but nothing was working plus there was couple of rabbit holes ,I tried to make it work but nothing coming up, at that point I knew I missed something small yet crucial. I stepped back reverted the AD set and restarted my enumertion on that machine after a 30 minute long break. There it is! I found what I was looking for.
Do not make the mistake I did ,I didn’t take it serios a small detail but turned out it was my way into AD kingdom. Take your time and READ everything you have slowly.
By 2PM I had my initial access into AD it took me 90 minutes to conquer whole AD kingdom. The hardest moment was the initial access for me ,I underestimated something and it cost me 5 hours of chasing ghosts. I can’t say anything about the AD set because of the obvious reason but what I can tell you is; be prepared for every kind of situation. Have a second way to get the things done ,I am so glad that on my second time of solving challenge labs I used different tools and paths.
Now I had 50 points ( + 10 Bonus points ) I could have relieve. Ordered some food ,went to balkony and tried to chill. That was the most crucial part of the exam now all I need is 20 points to finish this pain.
3.2.2 Independent Machine 1
There was a machine that seems very easy in every way but regardless of what I did, machine was giving me timeout. I reverted the machine 4 times nothing changed ,reached the support about the machine they said it’s all fine. I had credentials but I couldn’t use it in anywhere.
After what I learned whoever faced that machine ,failed. I still wonder how one can solve that box. it’s not about how skilled you are since it was giving timeout no matter how many things you try.
3.2.3 Independent Machine 2
After a long break (I saw the way into machine as soon as I saw the results from my enumartion scripts ,so I was chill) I came back to my exam desk I got my initial foothold into second independent machine and rooted it by 7:31PM
I prepared myself specifically to Privesc techniques for Linux-Windows so at no point of my exam I struggled about PE. I also made sure that I am fluent in most common attack ways for the AD, those who are taught in PWK and not.
Now I had 70 points to pass my oscp. I can approach the exam as it is a CTF
3.2.4 Independent Machine 3
This machine by far the most difficult machine ,it had unbelieveable amount of rabbit holes and things to try. Considering it is an exam machine you’re already experiencing the burnout to this point it was an insane box.
After a break I came back to my exam desk to solve this one. By this point it was around 11pm. I tried to check everything I had but I understood that I didn’t have enough time/patience to deepdive against every possibility. So I started to make a list of things to check and results of my checks. It helped a ton to visualise what I was facing. I got my foothold into this machine by around 12:02 AM ,this was the only machine I used a PE enumeration script ,I ran linpeas and took another 20 minutes of break.
Found something suspicious ,I tried to search it but got nothing ,no article about it ,hasn’t mentioned in any writeup… So I continued my research and found an exploit that might work against it. Tried my luck with that one and got the root access to this machine by 2:42AM.
Once I finished the third standalone I started to check every screenshot I have ,I made sure everything was set ,added few more SS to increase the detail rate so the person from offsec doesn’t struggle to understand whole proccess. Wrote a fully detailed walkthrough for each machine I solved to help with my final exam report tomorrow and went to sleep. around 4:32
I woke up at 7:59 ,had only 45 minutes from my exam time ,I tried to work on Independent machine 1 once again ,tried my best but result was still the same it was giving me timeout.. I checked all my screenshots once again ,triple checked the all hashes that I submitted the flag submission portal and finished my exam at 8:35 with 90 points.
3. Report
I closed the portal ,and disconnected my vpn. headed to bed but couldn’t sleep untill 12pm. I was exhausted at this moment. couldn’t sleep. 3 empty bottle of redbulls ,I had dark circles under my eyes so I decided to return the report writing proccess. started to write my report over the template that offsec provides for the oscp exam. Finished my report around 11 PM. But this stage was so stressful ,if I forget something critical I won’t have second report submintion chance as what offsec said “your report is final.” so I checked my report over and over again. Once I convininced myself about it I submitted the report.
4. Post OSCP
I knew I should have pass the exam ,I had enough points ,screenshots and well explained report I shouldn’t worry but it wasn’t something I can control. I was checking my email literally every 10 minutes. After a lifetime I got my results Monday 1PM.
There it is …. The very thing I worked so hard for it
Firstly got the result from my PEN-200 exam schedule panel
And like 14 minutes after that I got the official Mail that states I passed the Exam!
What a journey it was.. I tried harder
5. Tips And Tricks
- Crackmapexec is your best friend ,master it before taking the exam.
- If you find yourself in a situation where you’re scripting/coding something it’s most likely not the way. Step back and restart your enumeration.
- Dump everything in every possible way when you owned a box. You might miss something critical ,always DC-Sync. Mimikatz doesn’t always give you the full results.
- Enumartion is indeed the key ,when you stuck come back to enumeration step.
- Time management is really important ,try to work with stopwatch from now on ,find the method that is suitable to you. People underestimate the importance of the freash head.
- Keep It Simple, really.
- Spray every user you found in every protocol that is possible, PWK teaches you this very well.
6. What’s next?
My current plan is taking the CRTP ,HTB Rastalabs prolab ,CRTO and finally the OSEP in next 6 months if I can. I have a special interest about Active Directory in general ,I’ll be working on that for now.
You can reach me out from :
LinkedIN — https://www.linkedin.com/in/f%C4%B1rat-demir/
Discord —@ rootofnull
E-Mail — Firat.Demir1337@gmail.com
Thank you very much for your time ,hope I could helped : )
