Offensive Security

A few days ago, I got confirmation that I passed my OSCP exam, in my first try. There are thousands of writeups available already I know, the point is everyone has a different story to tell. Please keep a few things in mind while going through this writeup so as to avoid any confusion:-

-All of which I will say are strictly only my opinion, I don’t mean to undermine anyone else

-Everyone is different ,learn at different rates, have different views, while I respect my readers opinions ,hope I get the same response as well.

So I am a third year B.Tech CSE student from India. I heard about OSCP from a workshop conducted in my college on March 2019 where the trainer was impressed with what I had to offer and encouraged me to go for OSCP. Obviously I had no clue what it was (my skills at that time were extremely limited) , so I looked it up online and was blown away with what people said about it. I knew that I had to upgrade my skills in order to even compete with the talent in the world.

Summer came and I had taken an internship/course in Chennai . My day time involved doing the work in the internship. At the night , I was left with 10 mbps internet, I think that’s when I realized to grab this opportunity and started downloading vulnhub ctf machines randomly and try rooting it. Obviously I couldn’t , I had never solved ctfs or anything before. So for a week, I just looked at online walkthroughs on how to solve it and tried solving it. I have a strong memory , so I never documented anything or even bookmarked the link , which I think gave me an advantage over many people preparing because if I ever came across similar , I would immediately solve it without wasting time. Slowly I was able to solve the machines ,partially with help of writeups , sometimes without writeups, but another problem came, privilege escalation! I had very little knowledge in linux and decided to leave privilege escalation for sometime later and concentrated on getting the initial shell first. Slowly I could see results in about a month , then I started Hack the Box in around mid June. Again, I found it extremely difficult, especially the pivesc part, so I decided to take a linux system admin course to improve my linux privilege escalation (I’ll provide all links below). I stayed up nights even for the simplest of things like sudo privilege escalation because I wanted to be perfect in it.

I kept up the momentum and by September 2019, I had cracked around 50 vulnhub machines along with hacker rank in htb and was even certified in eLearnSecurity Junior Penetration Tester. I don’t think I was anywhere near ready for OSCP, but I was extremely happy with my own progress. One thing I was not good at was windows machines and I dedicated myself the whole of September for it by trying to read writeups and solving retired htb writeups of windows. In the beginning of October, I was pleased to see myself getting better at windows as well .

Due to certain personal reasons, I lost all my hard earned focus and motivation for the whole of October and first 20 days of November. When November was almost ending, I picked up myself and put myself through rigorous training to finally get over my personal shortcomings and got two certifications in a span of ten days as a confidence booster i.e. the AZ-900 and eLearnSecurity Network Practical Defense. Both weren’t related to penetration testing , but the fact that I could solve two exams in ten days was a huge confidence booster.

By December 6th , I was back in the business and was again solving vulnhub and Hack The Box machines with full vigour and concentration. I had originally planned to take the labs in January 2021 while in my fourth year, but I decided to take it in January 2020 because I felt I had tick marked all the required skills way before than I envisioned. I had decided to spend all my remaining money I earned in my part time job (initially I had saved money for a new laptop, but I decided to go for the three month lab in OSCP). I paid for the labs on 21st December 2019, got my lab start date as 5th January 2020. . Before the labs, I quickly solved two active htb machines (Traverex and Postman) to gain the required confidence for the labs.

The day for the labs came(I had opted for three month labs) , needless to say I didn’t read the pdf nor watched the videos which came with it. I directly dove headfirst into the labs , I wasn’t disappointed too, I think the labs were very well made. There were certain machines which had certain rabbit holes so I used to ask people in discord for hints and they helped at times, sometimes I found it on my own. Overall I learnt a lot, although I was in the old labs meaning most of the privesc in those were kernel exploits in an unintended way. Sometimes I found the intended way, sometimes I didn’t. Now few things I would say about my experience which would greatly differ from most others:-

-I extensively used metasploit in the lab

-I never made a report or documented anything at all.

-Granted I was in a three month lab , but I might have worked a total of not more than twenty days because I had too much work going on in the college . But those twenty days, scattered throughout the three months.

-Out of the big 5(fc4,ghost ,pain, sufferance,humble) , I only pawned 4 , I couldn’t even get the initial shell in ghost but later after the exams I asked a certified friend about it and was shocked to see it was damn easy!

In total I pawned perhaps 35 machines . I did perform some pivoting and tunneling but I did those things because I was bored and had nothing else to do. Meanwhile ,I scheduled my exam for 12th May 2020. But with the covid-19 threat looming ,I got my summer vacation preponed and I was home by 16th March and so I rescheduled my exam on 29th March.I had strategically kept it on 29th , 5 days before my lab ended so that I could fall back to the lab one last time in case I failed. But due to an internet problem, I wasn’t able to give my exam on 29th and requested offsec to give me another chance free of cost , which they did and I rescheduled my exam to 19th April this time.

So I had 21 days to prepare now , I was determined to complete it one go because I didn’t trust my internet :p . I downloaded even more vulnhub machines and solved them with/without writeups. I tried solving a few hard machines in htb using ippsec’s walkthrough. I must say ippsec is a must, by the time I completed my oscp, my youtube homepage was filled up with ippsec video recommendations. I even signed up for Pentester Academy’s www.ctf.live , I must say their challenges especially the web app challenges are a bit similar to what you would expect in the labs. I got totally into it and was eventually world no. 18 for a while (As of writing , I have dropped down to world no. 40) .I must say its a very good platform to learn, they even provide hints too in the discord platform but try to do it without hints if you’re already acquainted with ctfs. I think that’s where I developed the skill of modifying publicly available exploit code and it definitely helped.

Eventually 19th April came , and I was very confident and pumped up and thankfully my internet connection cooperated with me that day :) . I think the proctoring was quite non intrusive, to the point I even forgot it was a proctored exam. I would recommend people to use Kali Linux as a virtual machine for maximum benefits. I eventually got 77.5 points (passing is 70 ) and obtained my certification.

My Strategy:-
I think people take OSCP too seriously but that’s still better than taking it lightly , it’s one of the most difficult exams in the world for a reason. Below are some enumeration techniques I used for the exams which will work very well . Also you need a lot of self belief and patience to find the vector, and I think that’s primarily why more talented people than me have failed i.e. just because I cleared OSCP while in college doesn’t make me anything special please bear it in mind.
Major attack vectors:-
21-FTP:Anonymous login, check version for exploit,if logged in, check for files, check for ssh keys or if you can access .ssh file, try uploading shell if reflected in web server.
22-SSH:- Probably not useful unless you uploaded key anywhere or found a private key file,sometimes useful for log file poisoning with LFI.
25-SMTP:-Check for version, LFI chaining log file poisoning , User enum perhaps
110-POP:-Same
79-FINGER:-User-enum
135,137,445-Samba, SMB:- Run enum4linux, check version, null session. If access to file system do the same as ftp attacks. As a rule I would say it for any file service running to try all this
For the above ports, its best to use NSE’s along with your enumeration.
80/443-HTTP/HTTPS:- Lots of strategies,check server name for vulnerability, usually a software will be running with a vulnerability, lots of googling required, try to read the exploit code, most of the time it will give a hint whether you’re in the right spot or not, run dirbuster, nikto , check the response size and manually check for the webpage in the dirbuster output i.e. don’t assume stuff, nikto is prone to false positives as well keep in mind, but nikto can spot the put functionality enabled so as soon as you see a file server type layout webserver , run nikto first,enumerate for shell shock vulnerabilities .
If found login page, google for default creds ,try logically finding the username password using cewl, check for sqli, check the url for LFI,RFI and sql injection. Once logged in try searching for the file manager to upload shell (my first step always .Also general rule , php shell for linux, aspx shell for windows IIS ) .Sometimes you wouldn’t need to login for an exploit to work i.e. it can be a rabbit hole if you are able to login easily so read the exploit code properly.
For wordpress use wpscan, for joomla use joomscan and for drupal use droopscan . They are known to have a lot of vulnerabilities.
Keep one mantra, the answer is simpler than you think!
3306-MYSQL:- Check for version , passwordless connection,authentication,if authenticated try to see if you can upload shell.
8080,8000-HTTP-Proxy:-It’s the same strategy as 80/443.
UDP ports:- Usually not useful for exploitation , but you never know !
While enumerating using the above strategy, please run a full port nmap scan in the background. Any other port which pops up ,please google it, I think that will be enough.
I think you don’t need anything beyond what I wrote for initial shell. Anything more than that is overkill. Just poke at every hole, you’re bound to find it .
Privilege escalation:- Probably my favorite part .It used to be my most difficult topic to understand, because I had to learn everything on my own but I am proud that it was all worth it. Key takeaways to understand privilege escalation is you have to understand how the operating system manages data , services and users. Because it is in depth ,I will speak under two separate heading my strategies for linux and windows.
For Windows: — I think windows is tougher than linux in terms of understanding the internals and working. I would recommend getting hold of a good course explaining windows server administration and then try to understand it. But in OSCP , windows privesc is not that hard to understand. First thing to do would be to upload winpeas.exe , its a superb tool for enumerating windows privilege escalation.Also upload accesschk ,its very useful and does not come installed as a CLI in the latest windows editions. Usually it’ll highlight what you want which would be usually one among the following:-
-Kernel exploits(Last resort also highly unlikely)
-Service exploits(Most common) . It includes insecure permissions, unquoted paths, etc.
-Registry exploits
-Sometimes passwords stored in plain text or hashed . Believe me winpeas can find this out as well
-Scheduled tasks
-Hot and juicy potato
-Insecure permissions
Pro tip:-If winpeas is not able to catch it, it might be an installed vulnerable application so enumerate the Program Files .
For Linux:-I personally feel it much easier than windows because I am much more familiar with it in terms of internals. But if you don’t feel like, do try taking a linux administration course as well for this. My strategy is usually uploading LinEnum.sh , however don’t forget to manually enumerate it as well . Keep in mind that LinEnum only outputs out information and you have to go through it manually and spot the misconfiguration. Absolute beginners can use linux-priv-checker as well but I have noticed that script sometimes doesn’t give me the desired output. Even ippsec uses LinEnum simply because its much more thorough in collecting as much as info possible .Nevertheless , it’ll usually be one among the following:-
-Kernel exploits(Last resort)
-Sudo permissions
-Suid permissions
-Cronjobs
-Running processes( eg. mysql)
-Writable conf files(eg writable permissions on /etc/passwd file)
-Reusable creds (rare too)
-Path privesc . Sometimes you might find a script with faulty permissions, you might just be able to escalate privilege leveraging that.
-Mountable file system
-Docker group privilege escalation
However one thing should be clearly understood for both and that is the permission model for both operating systems , they slightly differ so keep in mind.
It is expected that you research about all the privilege escalation vectors all by yourself for maximum productivity.
Lastly ,I think hacking articles was an excellent source for privilege escalation.

Sources:

(Note:- Some of these are paid courses and I am not endorsing any course for my or any organization’s benefit . I merely found these courses useful along my way and I hope you find it as well)
Excellent course to learn about linux
https://www.udemy.com/course/complete-linux-training-course-to-get-your-dream-it-job/
Excellent course to learn how windows works
https://www.udemy.com/course/complete-windows-server-2016-administration-course/
Excellent list of courses to learn basics of penetration testing and python:
https://www.udemy.com/course/learn-ethical-hacking-from-scratch/
https://www.udemy.com/course/learn-python-and-ethical-hacking-from-scratch/
https://www.udemy.com/course/learn-website-hacking-penetration-testing-from-scratch/
https://www.udemy.com/course/practical-ethical-hacking/
Platforms to learn practical ethical hacking for fun and usefulness.
https://www.hackthebox.eu/
https://www.vulnhub.com/
https://www.virtualhackinglabs.com/
https://tryhackme.com/
https://microcorruption.com/ (If you want to try buffer overflows )
https://www.ctf.live/
Scripts I kept in my Kali machine before the exam began:-
nmapAutomater: — A truly beautiful script which outputs almost everything which you need in the exam for recon. Ran it in the background while doing the buffer overflow machine
https://github.com/21y4d/nmapAutomator
Droope scan:- A scanner for drupal
https://github.com/droope/droopescan
Joomscan : — A scanner for joomla
https://github.com/rezasp/joomscan
Nishang : — A set of tools useful for post exploitation in windows
https://github.com/samratashok/nishang
Privillege escalation:-
LinEnum: — Personally my favourite script for linux privillege escalation
https://github.com/rebootuser/LinEnum
Linux-smart-enum: -Another great script I have used in HTB and vulnhub , really good for begginers
https://github.com/diego-treitos/linux-smart-enumeration
GTFO bins: Useful for abusing suid, sudo binaries
https://gtfobins.github.io/
Winpeas :- My personal opinion is , if winpeas can’t find it , pretty much no other script can
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
Linux-exploit-suggester: -Only used for kernel exploits in linux
https://github.com/jondonas/linux-exploit-suggester-2
Upgrade shells to proper tty for better enumeration
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
CTF walkthroughs which benefited me the most and learnt something new out of it:-
https://hackingresources.com/bastard-hackthebox-walkthrough/
https://www.youtube.com/watch?v=lP-E5vmZNC0 (Bastard htb)
https://www.youtube.com/watch?v=2LNyAbroZUk (Devel htb)
https://www.youtube.com/watch?v=YHHWvXBfwQ8 (Jarvis htb)
https://www.youtube.com/watch?v=GKq4cwBfH24 (Writeup htb)
https://www.youtube.com/watch?v=K9DKULxSBK4 (Ninevh htb)
https://www.youtube.com/watch?v=2c7SzNo9uoA (Silo htb)
List of machines I solved with/without writeups :-
https://www.vulnhub.com/entry/matrix-2,279/ (Matrix 2)
https://www.vulnhub.com/series/my-file-server,279/ (My file server series)
https://www.vulnhub.com/series/dc,199/ (DC series )
https://www.vulnhub.com/entry/sickos-11,132/ (Sick OS 1.1)
https://www.vulnhub.com/entry/unknowndevice64-1,293/ (Unknown device 64 1)
https://www.vulnhub.com/entry/linsecurity-1,244/ (LinSecurity 1)
https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/ (BSides Vancouver 2018)
https://www.vulnhub.com/entry/dina-101,200/ (Dina 1.0.1)
https://www.vulnhub.com/series/kioptrix,8/ (Kioptrix series)
https://www.vulnhub.com/entry/skytower-1,96/ (Skytower 1)
https://www.vulnhub.com/entry/hacklab-vulnix,48/ (Vulnix)
https://www.vulnhub.com/entry/sickos-12,144/ (SickOS 1.2)
https://www.vulnhub.com/entry/recon-1,438/ (Recon 1)
https://www.vulnhub.com/entry/my-web-server-1,463/ (My web server 1)
https://www.vulnhub.com/series/sunset,225/ (Sunset series)
https://www.vulnhub.com/series/ha,242/ (Hacking articles series)
https://www.vulnhub.com/series/bulldog,138/ (Bull dog series)
https://www.vulnhub.com/series/its-october,297/ (It’s October)
https://www.vulnhub.com/series/rootthis,188/ (Root this)
https://www.vulnhub.com/entry/lord-of-the-root-101,129/ (Lord of root)
https://www.vulnhub.com/entry/my-tomcat-host-1,457/ (My tom cat host)
And many many more
List of HTB machines I solved with/without writeup :- I strictly followed a publicly availble list of Tjnull. Here is the link to it
https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159

I would simply say that there is no guide for OSCP as such. It’s your persistence , critical thinking and passion which will decide whether you’re worthy. I have thoroughly enjoyed each and every moment though it may sound overkill . If you find overburdened , it might be the case that perhaps this certification is not for you. If you enjoy the burden ,then it’s for you for sure.
Lastly I don’t think anyone who achieved a certification as difficult as this did it all by them self . I wanna thank my friends in college who helped in my difficult personal times , motivated me , believed in me and what not . It’s because of you guys I cleared this exam before entering the fourth year. Appreciate the small random acts of kindness which people do because the ones who stick around even when you’re broken , are the ones who really want you to succeed .
Some FAQ ‘s
Q) So is OSCP impossible without any experience in the field?
A) Not at all, I’ve never even worked in an internship. But yes it’s much more difficult without experience, but not at all impossible.
Q) How will I know if I’m ready for the exam?
A)I’ve been asking myself the question since the day I took the labs. The short answer is you don’t . When you’re sure that you can do anything thrown at you or atleast you’re willing to die trying for it, that’s when you’re ready.
Q)Are the labs easy? How many should I exploit before the exam?
A)I personally felt they were of ok’ish level. There are many machines especially made for beginners. There is no perfect number for that. People have passed by exploiting 15 or less machines and failed repeatedly by exploiting all 54 as well. Once you know you got your methodology correct , you’re ready even with 15 or less. Also I would recommend if you asked around for hints if you’re really stuck ,sometimes you might learn something new out of them as well.
Q) Will just looking at the writeups be enough? I don’t feel like downloading a vulnhub vm and setting it up.
A)This highly depends person to person. I have a strong memory as such , so strong that even now I can recollect how I exploited each and every vulnhub and HTB machine even though I never documented it and did it only once so yes for many more machines, I just saw the walkthrough . Some people remember by documenting , by doing, etc .Highly controversial I would say this question
Q)I have solved all the recommended HTB , vulnhub machines , so that means I am gonna rock the exam?
A)Most probably , but hard to say . Are you sure that even if there’s a little bit of twist , you can solve it? Did you actually understand when you exploited the machines ?More importantly ,are you prepared to face the fact that you can fail the exam? If so , I can say that you’re probably ready for exam .
Q) I did everything you said, yet I failed . So I suck? OSCP is not meant for me?
A)No you don’t. Average OSCP holders take upto three times to get certified. I firmly believe a person who passed with the third time will probably know more than me or any first chance passing person and be more skillful than me because he will have given it three times. Passing it first time doesn’t make me a messiah nor failing it makes you a loser . If you’ve woken up and you are better than what you were yesterday, that is all that matters. Try to take a step back and see what could have been managed better. No one is equally well in all departments. People passing it are also normal people, people who once didn’t know what linux was and etc.
Q) Any tips on how to manage the exam pressure?
A) Treat it like any other day of work except this time you don’t have the luxury of writeups. There will probably be only one way into the system and one way to escalate which might not be immediately visible which is what makes the exam difficult. Few machines had some out of the box thinking so don’t just look at exploitdb for exploits. Don’t panic! It’ll be alright. Have lots of water and take lots of breaks. Most of all your internet connection does not fail you that day.
Q)Yay ! I think I have enough points , what next?
A)Take enough screenshots, read the exam guide very very carefully. There has been cases where people have got passing points but failed because they did not follow the guidelines. My view is that if you can’t follow basic guidelines , then you deserve to fail because if you submit a faulty report to a client, he’s not coming back to you ever . Be very careful during the report making process , don’t be in a hurry , take your time .
Q)Should I complete the lab exercises given in the pdf? I’ll get five more points and I can pass a little more easily then right?
A)Again it depends on you. If you’re really enthusiastic and you really need the practice and you’re not the kind of person who can absorb a lot of information in a short amount of time, go for it. I personally didn’t want to waste my time ,also my goal was to atleast root both 20 pointers in the exam(which I eventually did!) so I devoted the time to better myself in privillege escalation instead of the exercises. That being said, if you simply want to pass and you’re not good with privesc, I’d suggest you to do the exercises , you can probably escape the exam without privesc but it’s not suggested that you do the exercises with that sort of mentality. Five points can be the difference between passing and failing too so you decide what’s best.
I hope my writeup inspires not only OSCP aspirants , but also other people who believe hard work doesn’t pay off. It might pay off late , but it always does big time!

I tried harder!

Cats, pizza and cyber security are all I live for! Follow me for a wide variety of topics in the field of cyber security. OSCP ,CRTE , CRTP ,CKAD holder.