My OSCP Journey
Hello Everyone,
This is my first ever blog I am writing, I want to share my experience how it was started, what challenges I had faced during the course. So, let’s start.
First of all, I hope everyone around the world is safe, as there is a world-level pandemic due to COVID-19.
Brief about myself, I am a Cybersecurity Analyst working with Network Intelligence India PVT. Ltd. with 2.4 years of experience in web/network vulnerability and penetration testing and little bit mobile Pen testing.
Before Registration
So, my journey started in nearly January 2019 when I was planning to improve my skills, I already had registered to hack the box, but never seriously looked into that. So I came to know about OSCP as in my company my seniors have that certification. So I got to them and asked about the certification what preparation needs to be done to complete the certification. My senior gave me the advice to start solving vulnerable boxes from vulnhub first and once you can successfully able to pwn boxes with your own go for OSCP labs. Then I started doing vulnhub and solved 10 boxes as I was only able to manage some hours after my office hours. After a while, I just get to know that other people have shared their experiences, so I started reading blogs of other peoples on OSCP and started preparing according to that. Reading blogs I get to know that HTB is a good learning platform. So, I just jumped back to HTB. Time passed after 1 month I was only able to crack 2 boxes. So, I thought I am still not ready for the OSCP. 6 months passed and I have solved 10 boxes from HTB and 10 boxes from vulnhub. Due to some health issues, I was not able to go for my OSCP course until December 2019.
After Registration
Finally, on 1 Jan 2020, I registered for OSCP and my lab was scheduled on 5 Jan. I had gone for 60 days’ time period for this course. And I was a challenge for me as i am still recovering and 8 Hours of Office work which i was doing from home. I have to manage my time for my office routine work, my workout sessions and my OSCP Labs and Study Materials.
In PWK-Lab
On the first day, My lab timing is 5:30 AM, and that day was Sunday so I woke up late and checked my mail, I was very nervous at that time when at the correct time I got the VPN connection and credentials, that time I downloaded the study material and took a quick look at the pdf and videos. so I completed 20–25 Pages of my study PDF on that day. After that, I tested my VPN connection and it’s working fine. After 2–3 days of reading PDF and videos, I started doing the lab daily at 8:00 PM till 3:00 AM after my office hours. I am a bit lazy while reading my study material, so I just started with my videos and then pdf. The challenge for me was I had to manage my time. 8-9 Hours of office work routine and my OSCP labs plus my 1 hour of workout session and course materials, it was hard for me to manage time. So I managed my time like this, I am doing Work from home at that time so it was a bit easy to manage time. I used to start my office work at 9:45 AM, quickly completing my work, till 4:00 PM daily and submitting all the project details I left with approx 3 more Hours, I utilized that time and started reading my PDF and videos side by side. After that, i go for my 1 hour workout session and sometimes for a walk. After returning from the walk, I again started with my Labs. So I started my labs after 3 days. And i have planned on weekends i need to spend more time so i probably go with 14–15 hrs with my course.
Day 4, I connected to my VPN and started Labs from the very first IP. The box name is Alice, and I was clueless how to solve the box. so I enumerated and find the exploit but I hardly think about that and blindly run the exploit code and nothing happens. I was trying and trying still no progress. I just shut down my machine and went for sleep. Same routine follows, quickly wrap up my office projects manage some time for study, but some time i am lucky to get extra 2–3 hours with office time but that’s very rare case. Again I went on Alice, try to understand the flow of code still no progress for me I struggled a lot after a week on 9 Jan I just solved my first box, Alice. As I was planning to do 1 box per day and document the box. The days passed I completed my course videos and pdf on 13 Jan as i am very slow in while reading contents from PDF. The next day I solved Phoneix and so on completed 6 more boxes, as I was going with one box per day. I have heard a lot about the Big 4 boxes in the LABS PAIN, GH0ST, Sufferance, Humble.
The day came when I get PAIN, I stared that box, it took me 4 hours to root the box and I was very happy one is down.
The next was Left Turn, I solved that box in 3 hours after two weeks completed I have solved 12 Boxes so far. Passed more one week and I had done Alpha, beta, gamma, bruce, tophat, Dotty, DJ and one more.
3 weeks completed I solved 19 Boxes. The next day was another big box, Gh0st. The box was amazing and blown my mind, it took 1 day to solve this box. The next day when I started my lab around 8:00 PM it was another big box Sufferance, that box name suggests and seriously I suffered a lot in that box. Finally struggling with that box I somehow solved the box and it was 3:AM in the morning. I just turned down my laptop flap and went for sleep.
The Next day I had solved the box is FC-4. Days passed i have solved another 10 boxes in 10 days and my confidence is building high. The next box I stared at was Humble, the most difficult for me I took me around 5 days to crack the box. I am not good at coding, so it took me 1 day to understand the exploit and I had done a lot of mistakes on that box which took me 5 days’ time to crack the box. I unlocked my IT Network in the first week of Feb, Dev Network in the second week and Admin Network in the third week and left with one more week for my labs. I was able to solve Dev Network and only. After my lab period completed I just only able to solve 40+ boxes.
I just scheduled for my exam after my labs my exam was scheduled for 17 March. My labs ended on 5 March. SO I have some time left for more preparations I checked TJ Nulls OSCP like boxes went to HTB purchased VIP for one month and till 13 March I have done 15 Boxes. 2 days I have left for Buffer overflow revision, setup my own BOF machine and started doing BOF.
Things are not good for me my main laptop’s motherboard crashed before my exam. and I was worried because of that as I only left with 3 days with my exam so I managed a backup laptop, that laptop configuration was not that high as of mine.
On Exam Day
I was very unsure about the exam before the day of the exam, on the day I woke at 8:00 AM. and took a shower after that had breakfast and again I watched some HTB retired boxes videos. After that had lunch and setup my room for my examination then at 3:15 PM I connected my machine to offsec ScreenConnect and Webcam and completed the steps, and started my exam from the buffer-overflow machine I was sure that I will solve BOF in 1 hour, but things are not in my favor when I started my laptop is working so slow that it took me 3:30 Hrs to analyze the binary provided and I missed one bad character, still nothing happens. and on another terminal, my autorecon was going in all the IPS, and I went for a 30 minutes break.
After returning from the break I again started with BOF and 1 hour passed still I am not able to solve. As it’s already 9:00 PM so I left that BOF machine.
And went for my dinner after returning from my dinner I have gone for 10 Pointer machine 1 hour passed I was clueless, so I left that box and went to next Box 20 Point.
Around 12 AM I started the box after 1 hour I get user shell that builds me some confidence after around 2 AM in the morning I just get a root shell. The box was not that hard. so After approx 11 hrs, I have just solved only one box and I get panic how I can clear my exam so I asked the proctoring I am going for sleep. I went to sleep around 3:00 AM.
So I wake up at 5:30 AM and go outside for a walk for 30 minutes to calm down myself after returning from a walk I just asked for myself I can still clear the exam I have left with 9:30 minutes.
I reconnected with my proctor session around 6:00 AM and resumed my exam, again I have checked my autorecon that was completed I was left with two boxes which I haven’t checked yet. So I went for 25 Point box it seems to be direct and in 30 minutes I get user shell. I am happy and get some more confirmation I can still clear the exam. After struggling with Priv Esc I left the box.
At around 8:45 AM, I started with my last 20 Pointer machine, after 1 hour passed I found the exploit but not able to successfully exploit that. So I left that box. After 10 minutes of the break, I went back.
Around 9:45 AM, I again started with my BOF machine, after struggling with my laptop slowness issues and BOF, it took me another 1 hour and finally, I cracked that box at around 10:30 AM. So I was having one 25 Pointer, one 20 Pointer Box and one 25 Pointer Machine with user shell. Around 5 more hours left. So quickly I take a break for another 30 minutes.
Around 11:00 AM I started with 10 pointer box after 1hr-30 minutes of time spend finally cracked that box. Now I had 65 or 67.5 Points. I just need 0ne user shell or root from the 25 pointer box, I left 25 pointers and went for a break for 30 minutes.
Around 1:00 PM I return back and check my all screenshots first, when I checked I had taken only BOF screenshots, and my laptop is taking 40 sec of time to take screenshots. I just realize that in my tmux my previous solved boxes session is still open I quickly take screenshots of all the boxes. So it took me another 1 hour and still I have missed some screenshots.
Around 2:00 PM, I started my 20 pointer box and I was too tired hardly I am able to sit on the chair, I just left with my last one hour. Somehow build I some strength and started the box, time is passing so fast I hardly manage to exploit the box so I left with 30 minutes. I thought now I am going to fail in the exam, but suddenly something strikes in my mind and finally, I get the user shell. I relaxed that now I am passed. But I want to go for root to ensure I will pass the exam. left with 3 minutes I just randomly run my favorite Linux PE method and boom I found the way quick google found the exploit send to the box and ran that got root quickly copied the flag and posted in my account. I just submitted the flag I got a message from the proctor session my time is over.
Finally, I was amazed that I have completed the OSCP exam with 85 Points. Take a break and in the night around 9:00 PM started reporting till 2:00 AM. I went to sleep. Again wake up early in the morning started reporting completed my reporting at around 10:30 AM. Rechecked everything in my report submitted to offsec.
After a week on 27 March I received a mail from offsec, that they have sent my report and results to the escalation team, they thought I had not maintained the integrity with the course. I don’t know why this happens after that mail I just send an explanation to them after 2 hrs, I received another mail from escalation team, the said during the investigation on my account and exam everything is fine and my report is sent back for grading and I was like what the hell is going with me.
Finally, on 29 March I woke up early around 7:00 AM, and just checked my phone I see a notification from the Offensive security team that I have successfully cleared my OSCP Exam.
Tips for Exam:
Just keep calm, like a normal day of Pentesting, in stress or nervousness the things will get more complicated for you. Start scanning all the machines in starting will save so much of time. The things you learned in the lab are more important than the certificate you will get, so focus more on the lab. Arrange a good backup laptop, don’t panic in the exam as I do. And remember to try harder.
Here is the list of some important Resources from which i learnt and practiced.
Useful Blogs:
- http://www.madirish.net/59
- https://guif.re
- https://download.vulnhub.com/pentesterlab/php_include_and_post_exploitation.pdf
- http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/?redirect
- http://pentestmonkey.net/tools/audit/unix-privesc-check
- https://www.fuzzysecurity.com/tutorials/16.html
- https://sushant747.gitbooks.io/total-oscp-guide/
- https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
- https://github.com/xMilkPowderx/OSCP/blob/master/Buffer%20Overflow.md
Vulnerable Machines :
TjNull has shared some awesome list which as OSCP related boxes from HTB and Vulnhub. Below is the link that contains list of boxes.
Buffer Overflow:
- A quick intro on buffer overflow.
Buffer Overflow Practice:
Windows:
Linux:
File Transfer:
Windows:
There are so many ways to transfer files from attacker machine to victim machine.
- VBS scripts good fro older Microsoft Windows like XP and 2000, server 2003.
- SMB Server
- HTTP Server
- FTP Server
- TFTP Server
- Powershell
- Certutil
- RDP also has a feature to transfer files.
Linux:
- Python server
- curl
- wget
- FTP
- SCP
- Apache server
Pivoting and Port Forwarding:
Local Port Forwarding SSH
Remote Port Forwarding SSH
Abatchy’s Port Forwarding Guide:
Tools:
SSHuttle:
Proxychains:
Feel free to connect with me through LinkedIn or Twitter. :)