Introduction
I’ve always been drawn to things that I think are difficult. In October 2019 a friend introduced me to the concept of ‘bug bounties’. I thought it was a really cool and interesting phenomenon and I followed up on it by watching some videos on YouTube. My interest was sparked. I wanted to learn. Not because I want to become a bug bounty hunter, but because I want to know how it works and how those guys and girls think. It led me straight to hacker101 and Hack The Box (HTB).
I had no real prior knowledge. I learned the absolute basics on hacker101. A week later I moved on to HTB. I was intimidated by the difficulty but I subscribed to get access to the retired machines and started with the easy ranked (Linux) boxes.
Through trial and error I got more comfortable with all the different attack vectors and privilege escalation techniques and I gradually started to include medium ranked boxes. I also started watching IppSec’s videos on YouTube. I’d do a box, then watch the video and picked up all kinds of useful nuggets of information this way. This guy is a genius.
During these first few months I just focused on getting comfortable with the tools and techniques. Learning the basics and absorb as much knowledge as I possibly could. On the way to work I’d listen to podcasts, YouTube videos or Udemy courses. After work and late at night I’d do machines on vulnhub or HTB. Along the way I found out about the various certification programs out there. A popular one seemed to be the “OSCP” by a company called Offensive Security. To earn the OSCP certification one must successfully complete the PWK course which consists of a massive amount of coursework, an optional lab report and a mandatory 24-hour long exam. This looked exactly like the type of challenge I’d enjoy.
Preparation
I knew I wasn’t ready to immediately start PWK just yet. I had only completed a handful of Windows machines on HTB so I knew I was severely lacking in (at least) that department. I figured if I’d take 3 months to get more comfortable with Windows, I’d have a much higher chance of success. I stumbled across a course/lab-environment called VirtualHackingLabs. Reading some reviews it seemed like this was very good preparation for PWK.
So I decided to do the following:
- Purchase a 6 month membership on VirtualHackingLabs (VHL) to get some windows experience and hone my methodology
- Enroll in PWK after 3 months of VHL
- Start working on the HTB and vulnhub machines on this list by TJ Null
I started my subscription at VHL at the beginning of February 2020 and jumped right into the lab environment. I was able to root all machines fairly quickly and picked up some much needed Windows practice. I will not go into too much detail but I will say this: VHL was a great experience for me. Firstly, because you get access to 40+ machines to practice your skills and methodology. Secondly, the discord channel is very welcoming and helpful to new people.
The PWK Labs
I started the PWK labs on Sunday, March 22, 2020. I had access to the updated labs. Like with VHL, I skipped the course exercises and went straight for the labs. I did not do the exercises and lab reports for the extra 5 points on the exam. I learn more by just doing labs and do my own research when needed. I also asked myself this question: if you need those 5 points to pass, are you really ready? I’m not suggesting you should take the same approach, it’s just how I did it.
Most of the machines were relatively straightforward and only reinforced what I already knew. I did however learn a few cool tricks that I hadn’t had to use anywhere else yet. Definitely a very good learning experience.
I ended up rooting 48 machines in about 4 weeks. At that point I knew I just had to take a shot at the exam because I wasn’t going to learn a whole lot more here. So with a bunch of lab time left I scheduled my exam and started preparing
The week before the exam
To me this was all about practicing the buffer overflow and windows privilege escalation.
The buffer overflow was really not that difficult. I used the videos in the course (which were very good) and a Youtube playlist by “The Cyber Mentor” (which I liked even better):
I then practiced on a couple of vulnerable apps and was consistently able to create an exploit in about 30 to 45 minutes.
For Windows privilege escalation the best resource I found was Tib3rius’s excellent Udemy Course: Windows Privilege Escalation for OSCP & Beyond!
The conciseness of that course is absolutely incredible and after completing it twice, I felt very confident and comfortable in reproducing various escalation techniques.
The Exam
My exam was scheduled on Tuesday, April 28, 2020 at 7AM. Like most people in my position, I was pretty anxious. I went to bed early but could not sleep for a few hours. I also woke up quite early. Still managed to get 7 hours of sleep which is enough for me.
When I woke up I had a light breakfast and a few cups of coffee. I was at my laptop 40 minutes before I had to check in with the proctor. I used this time to go over the exam guide once more and double check my webcam was working and ready to go.
The proctor was right on time and the process you have to go through went smoothly. I was now ready to start.
I had decided to take on the machines in the following order:
- Buffer Overflow (25 points)
- 2 x 20 pt machines
- 25 pt machine
- 10 pt machine
25/100
I completed the buffer overflow machine in about an hour. I tried to work quickly and efficiently but I made sure to never rush. My final exploit worked on the first go which was a great relief. Getting those 25 points settled me nicely into the exam.
55/100
Next up was one of the 20 point hosts. I made some initial progress but got stuck after an hour or 2. Time for a break. Being away from my screen for a while really helped. When I got back I knew exactly what to do and quickly got a low privileged shell. The privilege escalation went smoothly and I now had 45 points, 5 hours in.
On to the next 20 points. I spend half an hour looking for a foothold but couldn’t find anything particularly interesting. I knew I was missing something crucial and took a step back to do some more enumeration. While I was waiting on a few programs to finish, I took a look at the 10 point box. The way in was quickly identified and 15 minutes later I had 55 points!
75/100
This meant that with 2 machines left, I had 2 shots at getting the required 70 points to pass. I was just about to run out of ideas for the 20 point host when finally I found a potential foothold. Leveraging this finding to get a low privileged shell took more time than I would have liked. An hour or 2 passed without any real progress. I looked at what I was trying to do and figured it was way too complicated and there had to be an easier way. Keeping it simple helped: within 30 minutes I had a shell. Luckily, escalating privileges was a breeze which meant I was now at 75 points.
Before attempting the 25 point box, I went back to my notes and double checked that I’d made enough screenshots for my report later. I triple checked that my screenshots of the collected keys were according to the exam requirements. For each host I added a high level summary at the start of my notes describing how I found the way in, how I exploited that to get a shell and how I escalated (this proved to be very helpful later when writing the report). When I was confident I could produce a walkthrough type of report for each box I took a break to have dinner and relax a little bit.
Time to try harder
I resumed my exam with 12 hours left and was determined to crack that 25 point box. This looked like a tricky one. I found 1 potentially interesting piece of information but it wasn’t enough. More enumeration and some manual searching finally led me to the missing piece of the puzzle.
An hour later I had a shell on the 25 point machine box. I had 11 hours left to escalate and get the elusive 100 points. Now this is where the whole “Try harder” thing came in for me. It took me 10 minutes to spot the attack vector to escalate. I knew how to do it and I had all the required parts in place 30 minutes later, but for some reason it just wasn’t working. I spent hours going in circles, repeating commands, starting over, trying again. If this hadn’t been the last box this would have been the moment to stop and move on to the next one. But it was the last box and I knew I was very, very close. I was just missing one tiny thing, I was sure of it.
100/100
I took a break, my last break, and went outside for a walk. It was nice to get outside for a bit to clear my head. It was now past midnight and I had 7 hours left. I was also getting tired. When I got back my mind went into full debugging mode for 2 hours. I verified every step, ruled out some things and eventually identified a possible problem. The fix was easy but I wasn’t sure it would work, I was just trying everything I could think of. I reset the machine, tried again and…… success!. I really did not expect to get the full 100 points but somehow I did it.
It was very late, I was tired and I knew I had a report to write. I quickly went over my notes again and also double checked the keys I’d submitted in the exam control panel. I felt there was nothing more I could do at this point so I informed my proctor that I wanted to end the exam at around 4AM.
Thoughts on the exam
Don’t mistake this for arrogance, but I honestly expected the exam to be more difficult. I think this stems from reading too much about it, especially write ups not unlike this one where people make the exam out to be some hellish nightmare.
The exam was challenging and should not be underestimated but it’s not nearly as difficult as some reports make it out to be. I think it is more about staying composed and having some sort of plan than it is anything else (the knowledge should be all there).
Writing the Exam report
Unfortunately I wasn’t able to start writing my report until 7PM, which meant I had exactly 12 hours before the deadline. I had practiced with the template before but still, it was taking a very long time.
I must admit that I rushed writing up the Buffer Overflow and the other 25 point machine a little bit but I felt all the info was there. My final report totaled 72 pages. I carefully followed the instructions to submit my report and at 4AM I had officially finished.
Later I found out I failed to include a tiny detail that was required. I also messed up some of the formatting here and there. This had me worried for about a day. I read about people scoring 100 points then messing something up in their report and still fail. As the days went by I figured my report wasn’t perfect but probably sufficient.
Things that helped me
- Breaks. I know everyone says this and I must say I was skeptical at first but it really, really helps. A lot. I was able to step back and analyze problems at a higher level without getting caught up by all the details on my screen(s).
- Reading the exam guide multiple times and understanding all the requirements for your exam report in advance. The reason for this is simple: it’s easy to miss something and if you do not follow their guidelines they might fail you, even if you score 100 points. Know exactly what is required of you.
- Going after low hanging fruit is a good strategy, however, I found it helpful to at least have a general idea of all the services running. Don’t just start throwing exploits at the first thing you find. I know this is common sense but I also know it might be tempting to try and go for a quick win. You might end up in a rabbit hole.
- Know when to move on to the next host. If you spend hours and hours on a box without making any progress you risk burning out. The mental aspect of this exam is very much real. Do not get demoralized. Shift your focus to another box.
- Keep it simple. This is an entry level course.
- For the labs: taking a hint once in a while is OK. You can’t know what you don’t know. Just make sure you learn from it. Don’t let them brainwash you with the whole “Try harder” mantra.
The result
Waiting for the result was stressful but I got the liberating email relatively fast and am now OSCP certified! On to the next challenge.
I enjoyed and would recommend PWK to anyone who is interested in the subject. Thank you for reading. If you are currently going after your OSCP certificate, good luck!