I started my journey of studying towards OSCP in 2015, after an initial 90 days of lab time my day job along with a new baby made me place it firmly on the back burner! The initial 90 days were frustrating and although I was making progress I found it difficult to find any flow or natural flair for the techniques. Yes, I understood the technical side, but the execution was very different.
Fast forward to January 2020, the project that took up my time since 2015 had finished and my children were now old enough to allow me more time to study. From Early December 2019 I had decided to focus on personal technical development as my Master by Research in 2015 was the last piece of formal training I had completed and it was time to go through my tool box and appraise where I was in terms of skills and where the wider market is heading in terms of requirements and opportunities. So in this time I completed the Udacity Developing Android Apps with Kotlin course (which was excellent) as I have a professional interest in the Android ecosystem specifically for specialist users in hot, dusty and secure environments. Although seemingly a very different subject it actually helped me develop my weak software development skills (I have never been a developer, I have picked up bits of Python but I have never been what I would describe as proficient) in a structured manner. I cannot reinforce this enough: for OSCP you need to be able to look at code and follow the flow of what it does in terms of variable declaration, loops, and to understand or to figure out what various functions do.
The labs V1
So I picked up the OSCP, (or more accurately Penetration Testing with Kali Linux (PWK)) in the January by purchasing 60 days of lab time (this effectively carried on from my previous attempt several years ago). I started with the intention of targeting an exam in early March. I compiled a list of resources to assist with my studies and the mjkranch.com Tips for success in PWK guide was an excellent early resource. Essentially this guide provided a path through the lab and exercises to try and build experience on the exercises within the lab course work. He suggests that the following order is undertaken:
- Study chapters 1-4
- Do the initial lab range recon (mapping the network IP’s, Hostnames and DNS)
- Chapters 5.1, 9-11, 14 and 16 (skipping Buffer Overflow, Client Side Exploits, Web and Tunnelling)
- Attack first boxes in lab, re-read chapters 4.3 and practice on the lab (start with JD and work some of the low hanging fruit from your enumeration)
- Chapter 13
- Attack Alpha, Beta and potentially Mike
- Chapters 12, 15, 17 and 18
- Attack Gamma, Mike and Jeff
- Finish off the exercises (5.2, 6-8, 9.2 and 16.7)
- Get as far as you can in the labs.
This method worked well for me. During this time I developed my enumeration technique, using the Auto-recon script for each box, which significantly reduced the enumeration and tool running time. By the time I got through to Gamma, Mike and Jeff I felt as though my enumeration and initial foot hold methodology was pretty well formulated and was bearing fruit. I was still needing to dive into the forums for some direction. For me that was part of the learning process; trying to understand other peoples’ approach and methodologies to fill the gaps in my knowledge. My exam was booked about ten days before the end of my lab time as I wanted to provide additional lab time in the event of an exam failure. This left me around two weeks of lab practice after completing the lab exercises and the exam date.
In the three weeks I managed to root 30ish lab machines along with unlocking the IT and Dev networks. I was still struggling with privilege escalation and trusting my initial analysis of machines. On a regular basis I was finding the correct exploit path relatively early in my methodology, but not trusting my conclusion and wasting time with rabbit holes. At this point it was still taking me up to half a day for each machine (from Auto-Recon to root) which my gut was telling me wasn’t going to be quick enough for the exam. However, the exam was booked and I decided to give it a go to give myself a true bench mark of knowledge/progress.
The Exam – Fist Attempt
The OSCP exam is a 23 hour and 45 minute practical exam, within which you are expected to tackle 5 machines, with the target of gaining root (for Linux boxes) or System (for Windows boxes). The exam isn’t completely blind as you have an exam control panel which describes you targets (IP Address, Points value, reporting requirement etc.) as well as providing the ability to revert each machine and submit your proofs. One thing I would suggest is read the exam FAQ’s very closely, print them out and have them to hand as it may help with exam nerves etc. to figure out what you need to be doing.
This is a remotely proctored exam, for which you have a series of proctors monitoring you via webcam and screen capture. I found this to be a fairly smooth process, however I had some issues with my webcam and screen feeds timing out repeatedly for a couple of hours. The Offensive Security support through this was excellent and worked with me to try and find the source of the issue. Don’t worry if you have issues like this, the support that you are provided with is brilliant. Once I had settled into the flow of the exam I pretty much forgot about the proctoring element and found it un-intrusive.
I can’t write much about the content of the exam, but I went with a widely reported approach of tackling the Buffer Overflow task first, whilst using Auto-Recon to scan the other hosts, ensuring I had plenty of enumeration available when I wanted to take a look at the other machines. This approach was going well until I hit a mental stumbling block, which led me to wasting nearly five hours on a stupid problem with my analysis! Had I decided to down tools on that once I hit the block I think I might of progressed quicker. Anyway after five hours of spinning my wheels, I decided to switch tasks to the 10 point box to build my confidence and within 40 minutes I had my first root.
My workflow was to pretty much write up my report as I worked away, each step I took screen shots (using Image Magik) and save the png files to an export directory and then used the PWK report template in Google Pages on my host computer to write the report. The aim of the exam report is to produce a documented procedure that someone else could complete as a cut and paste exercise, re-creating how you achieved root. Writing up as I went worked fairly well, I wasn’t trying to produced polished wording, but instead capture the commands, reasoning and the major screen shots I required. This then allowed me to come back and polish it with ease in the further 24 hours you have to submit the report.
After rooting the ten point box, I decided to take a look at the remaining boxes to figure out where to apply effort next. I decided to spend relatively short periods of time on each box, ensuring that if I hit a dead-end or a lack of progress I would switch track, trying to maintain momentum. Within another hour I had a low priv root on a 20 point box, but after an hour getting nowhere looking for privilege escalation I decided to return to the Buffer Overflow.
Now I knew where I was going wrong with the Buffer Overflow, but previously I was pretty much just repeating the same actions and getting nowhere (yeah go figure!) This time I decided to write the problem down – pen and paper! (I always use this with BOF!, writing down bad chars, EIP address and other notes) Within an hour I had the Buffer Overflow complete and the POC machine and exam machine rooted.
Now this is pretty much as far as I manged to get, unfortunately due to my earlier errors with the Buffer Overflow, my time management was waaay off. I started at 10 am and was still spinning my wheels at 4pm with the Buffer Overflow. By 5pm I had the 10 point box and after a break for food had the low privilege root on the 20 point box. I spent the next 4 hours or so on the other machines, returning to the Buffer Overflow, finally getting shell at midnight. My low privilege shell for the 20 point box came about 1-2 am. I then made the massive mistake of trying to work my way through the night, pretty much spending the next 4-5 hours cycling between the remaining boxes and not getting very far.
After being up for nearly 24 hours, and with 2 hours remaining I calculated that I had around 40 points and came to the conclusion I wasn’t going to complete this being rather sleep deprived with limited time left, so went to bed and fell asleep.
My biggest mistake was time management. With the initial Buffer Overflow I should of switched tasks after about an hour, as it took this short period of time to get to the problem that I then spent another 4 hours failing at. Theoretically if had done this earlier I might of gained my 40 points easily by late afternoon, leaving me plenty more time to gain the points I required. The other element I was weak on was Linux privilege escalation, I had low privilege shell, but just couldn’t see the path to elevate my privilege.
Back to the labs.
After a couple of days of licking my wounds and trying to process what had just happened, I decided to look back at the lab notes to polish up my privilege escalation techniques. About two week previously the new PWK 2020 course had been released and I had decided to ignore it as the exam was the old exam. I thought I would save my money and carry on. Although heading back to the lab I knew I was going to need to extend my time and therefore needed to upgrade to the new PWK 2020 course.
So I bit the bullet and extended my lab by 60 days again. I now had 800 pages of course notes to work through along with 17 odd hours of videos. I could of decided to skip the material, but I wanted to really sharpen my approaches and I am very glad I worked through this new material, it is pretty much 100% re-vamped and filled in quite a few holes in my knowledge (that the old course appeared to presume), including having a couple of ‘ah ha!’ moments relating to road blocks experienced in my exam attempt.
The new labs and material are excellent, everything has been brought up to date and all of it feels relevant to systems I have deployed recently. It took approximately three weeks of 4 hours a day to work through the lab material, some bits I took more time over than others. I decided this by looking at the exercises in the lab notes and if I could do the exercise without looking at the notes I skimmed that section, if not I dived deeper into it.
With the change to PWK 2020, I manged to dig into the new VM image, which is such an improvement over the previous (and obsolete) 2018 image. One of the problems I faced in the exam was a tool refusing to launch at all. It took a fair bit of fettling to get the 2018 image into shape, but so far the 2020 image has worked out of the box. A nice feature of the lab exercises is that as you walk through them additional tools you require are installed as you go and configured. Everything just seems to work, which is a different experience to the 2018 image and the old labs!
Having worked through all lab exercises, I found skills that I had skipped past in the previous labs was presented in a slightly more engaging way (SQLi) so I persisted and documented every exercise (280 pages!) After that epic undertaking I dived into the labs, targeting the new boxes as a priority.
I had two weeks to pile through the new labs prior to my second exam attempt. In that time I managed to root 34 boxes in the lab, including 4 of the big 5 (darn you 1NSIDER!) This time included two boxes that pushed my SQLi skills (which were pretty much 0) and a lot of practice with priv escalation. Finally the time had come for the next, and hopefully final, exam attempt.
I spent the last couple of days prior to the exam pre-writing the exam report. My plan was to have most of the report pre-written in order to remove the stress on exam day and allow me to drop in the commands and screen shots. As I had pretty much spent the last two months full time immersed in the labs, I spent a couple of days over on Hack The Box – why not?!
2nd Exam Attempt
So, 2nd exam attempt. I had a game plan similar to the first, hit the Buffer Overflow whilst running Autorecon scans and then work in 40 – 60 minute sessions before getting up for a leg stretch.
This time around, having practised Buffer Overflow with the new lab exercises and extra mile exercises I managed to get the first box within an hour and a half, including putting all the code snippets and screenshots into the report. After I submitted the flags I got up and had a ten minute break to reset and relax, as for me the real exam was about to start!
I can’t put anything meaningful about the following 20 something hours, but the phrase Try Harder certainly came to the fore throughout. At one point I had a very good idea of approach on three of the four remaining machines, but just couldn’t find a foothold. At this point I was pretty frustrated and felt like a replay of my first attempt. With this is mind I took a large break and went and grabbed some exercise. Amazingly this managed to clear my mind and I started making progress on the 25 point box, eventually managing to gain root. After much exclamation and dancing, I grabbed all the details and screenshots I needed for the report. The time was 6pm and I was in need for some food.
The next few hours were a frustrating mix of failed recon and going round in circles. I think having the pressure of needing another 20 points sat a little too heavily. Anyway at 3am, yes 3am I finally managed to root a 20 point machine and made sure I had what I needed for the report and decided to grab some sleep. After 3 hours sleep I pulled myself out of bed to see if I could make my pass a little more comfortable. Well in the end I didn’t manage to, but was VERY close to hitting a user shell on the final 20 point box. I kept on attempting up until the VPN dropped out.
With some more sleep and a few hours of editing and ensuring my report was as good as it could be I finally submitted my report at 6pm. 5 working days later I had the news I wanted that I passed and I was now OSCP!
