The New OSCP Course & Exam Review

Introduction

Obtaining OSCP has been one of my goals in my career. When I first started my InfoSec career as a security analyst, I was confused how attacks actually work and without such knowledge, it is really difficult to set decent detection points.

As said I do not have experience doing penetration testing, I decide to do A LOT OF preparations, as I think over-prepared is always better than under-prepared. 

My aim would be a 1-take pass in the exam.

Preparation before starting OSCP

After setting up the goal, there has been a lot of preparations. As stated in the previous posts, I have done Virtual Hacking Labs, eLearnSecurity eCPPTv2, some Hack The Box, etc.

I recommend before registering the official OSCP course, at least you should try Hack The Box, along with Ippsec's write-ups, which show how a professional penetration tester deal with boxes and how he comes up with what to do next.

TJ_Null has a list of boxes with Ippsec videos:

For people who do not have any experience of CTF / penetration testing, I would recommend rooting at least 10 boxes before jumping into the course. As a side note, Ippsec is a real PRO, and many of times when you watch his videos, you will be quite lost of what he is doing - a 30 minutes write-up requires you to do more researches to understand what is going on! Do not underestimate the effort you have to pay :) 

Also, the Practical Ethical Hacking course by the Cyber Mentor is an excellent! It gives you a basic idea of what penetration test is and it is comprehensive!

During my studies, I make good use of Gitbook as a knowledge base and I find it really useful for me!

Getting an idea of how penetration test looks like, you may jump into the course!

OSCP Course

The course is updated in 2020, and the material grows dramatically! Personally I don't think you can finish the course book within a week (given that you have a job like me!). In view of this, I would recommend registering at least 60-days lab. The material has Windows AD section, which is very valuable! You will also expect to see related boxes in the lab.

I used roughly 10 days to study and finish the exercises in the material. To be honest, some of the exercises are pretty annoying to document.

Some people suggest jumping into the lab directly and skip the course material, but I will not recommend to do so. The reason is that I find it quite well written and it equips you with the essential knowledge to get into the lab and exam. If you follow and understand the material, I would say you are 80% prepared.

After finishing the material, it is LAB time! There are around 4 subnets and totally 67 boxes in the lab. The subnets give you a great chance of learning how to persist and pivot, as well as experiencing the difficulties & constrains in pivoting situation.

In the lab time, you may use the OSCP official forum as your learning resource and discuss the approaches towards the boxes. One thing to mention is that there were ASSHOLES PMed me by just saying "I do not know how to do box xxx. Please help". In such a case, I could easily just give out the answer but you won't learn anything. Therefore, don't ask suck questions. If you want to ask, please provide what difficulties you are facing, what have you done, what's your attack path in your mind, etc etc.

I did all of the boxes at round the 75th day. Some of them are damn easy, some of them are tricky, but overall they are quite interesting.

While doing the boxes, I have kept documenting as if I was in the exam. I use KeepNote and Greenshot to keep my notes organized with screenshot. Also, I keep a spreadsheet of the boxes I finished, with the key learning points, areas that I was weak when doing the boxes, etc. In this way, I could easily remind myself of what areas I have to improve and research more.

Post Lab

Do not stop doing boxes. At this point, you could keep doing Hack The Box / Virtual Hacking Lab / TryHackMe.

Personally I strongly recommend TryHackMe as a practice / review. There are some rooms for practicing your basic knowledge, with step-by-step walk-through. You may just deploy the machine, try to root it yourself, and then look at the step-by-step to verify if there is anything you missed. There are also some Buffer Overflow boxes for you to practice - make sure you know what to do with Buffer Overflow - free 25 marks in the exam!

At this point, you should be confident in the following:
  • Recon using Nmap / Autorecon
  • Information gathering for common protocols - SMB / FTP / HTTP ...
  • Figure out the attack path during information gathering
  • Shell manipulation / remote access using Powershell, nc, nc.exe ...
  • Use local recon tools like LinEnum / WinPEAS / etc.
Feeling quite confident, I scheduled my exam at the day right after my lab expired.

Exam Day

My scheduled start time is 11:00. I woke up at around 8:30, had a nice breakfast, got my environment ready. Having some free time, I rooted one more box on TryHackMe as a final practice.

Around 10:45, I logged in the exam portal and started setting up the screen recording.

Around 11:10, finished setting up VPN and verification with the proctor, the exam started! 

First started Nmap on all boxes to save time. You could also run Autorecon for this part. 

I finished the BOF box in about 1 hour - practicing enough on the lab and TryHackMe, this went really smooth and the exploit was done without a single issue. 25 marks free!

Then I challenged a box - quite straight-forward. Used 50 minutes to pop a low- privilege shell, and then 30 more minutes to get root. 

Then went on another highest score box. Quite a lot of rabbit holes as expected - since I had enough practice in the preparation, many holes were avoided quickly :) Got a low priv after ~30 minutes. Then I had my lunch and took a short break. Stuck for a while on priv-esc. After rounds of trial-and-error, figured out the trick on doing the exploit after 1 hour 15 mins. Rooted!

So after around 4 hours, I had already got the obtain enough score to pass!

Then moved on to another box, which was not a common application so it took me quite a while to do information gathering. After 1.5 hour, I had got a low-priv shell. Priv-esc was straightforward. Done!

Then moved on the final box - which was supposed to be the easiest one. With proper enumeration, getting root around 50 minutes.

From exam start to all-rooted, it took me around 7 hours, which was really satisfying performance!

Take an extra 3 hours to finish the report, making sure all the screenshots needed were captured and the steps were explainable.  Then I told the proctor to end the exam.

Certified

After 4 business days, I have got the notification email from Offensive Security - passed!

No alt text provided for this image

Final Word

To get a pass in OSCP, you do not need to be a genius - all you need is TRY HARDER! Don't be afraid of struggling in the lab (because it is a must). Don't be afraid of reading others' write-ups and learning from others. Be brave to learn things that are difficult to understand!

With enough practice and figure out your own methodology, you could finish the exam!

Comments

Post a Comment

Popular posts from this blog

Virtual Hacking Labs Penetration Testing Course Review

Image
Introduction Like many people who want to start learning penetration testing, I guess most of us share the same goal of getting OSCP, which is the most reliable industrial standard on penetration testing.  However, it is quite frustrating to start, simply because OSCP covers a lot of topics and you have to deep dive into each of them. Also, I know from many reviews that the OSCP materials are quite old and boring, and you have to explore more yourself on the topics discussed in the course materials. This is the reason why I want to find a platform or course that is more beginner friendly, more structural and realistic.  Browsing reddit, there are so many people recommend Virtual Hacking Labs (VHL) as a bridge to OSCP. Seeing that the price is quite cheap as a penetration test platform, I decided to purchase a 3-month pass and see how it works. Course Materials There are totally 9 penetration testing related chapters ( https://www.virtualhackinglabs.com
Read more

Hack The Box - Bashe Write Up

Image
HTB - Bashed Basic Difficulty: Easy Tools: nmap python reverse shell script  (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) gobus ter LinEnum.sh (https://github.com/rebootuser/LinEnum) Walkthrough Recon nmap scanning for the win! nmap -sC -A -oN nmap-initial 10.10.10.68 -sC:  Default script -A:    Enable OS detection, version detection, script scanning, and traceroute -oN:  Output scan in normal format The result shows only tcp/80 is open. Let's navigate to the web page. It looks like a blog post mentioning a tool phpbash . Cli ck on the page to learn more:   It mentions that : I actually developed it on this exact server! Hence if we find out the location of phpbash, we can actually execute commands on the host! To find the location out, gobuster is a great tools for b rute -forcing directories! # gobuster dir -u http://10.10.10.68 -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.t
Read more