Path to OSCP

Pre-Lab First Steps

I started getting ready for OSCP about 2 months before starting the labs, I did this because I only had enough funds for 2 months of lab access. In those 2 months before the labs, I casually attempted several boot2root VMs from vulnhub. I had limited success with these VMs, often having to go through the walk-troughs listed on vulnhub to finish them. See the bottom of this post for a list of VulnHub VMs that helped me. The important thing with this course is to keep trying & learning even when you feel desperation and experience failure.

Getting Started With PWK

Once you get your course material, I'd recommend that you go through all of it and complete the exercises. Be conscious of your time, don't spend more than required on the material. In my case, I didn't read the PDF but, watched all the videos and then decided to go straight to the labs. I often had to reference the PDF while in the labs, you should read the PDF!

Note taking is extremely important through this course. I used keepnote, but use whatever you prefer and can be effective with. You'll want to structure your notes as well, I had several sections. I had sections for Priv Esc, Attack Books where I'd keep runbooks for all the protocols I encountered, and Tools where I had a quick reference of all the tools I used a lot and common flags. Then in my notes I had a page for every IP where I pasted all my scans, any information related to the system, and finally the glorious proofs. The main thing is to find a structure that works for you and that you'll follow. You will thank yourself when your 9 hours into the exam and can't remember what to do with webdav.

Labs

Everyone has a different method when going through the labs. I did a ping sweep, saved all the IPs in my notes then attacked the IPs lowest to highest. There were some easy ones in the lower IP range that were good to start with and the harder ones were spread out.

The time required to go through the labs was a lot. Every week day, I'd get home and start on the labs around 6pm then work on them until 12 or 1 in the morning. My goal was to get a least one low priv shell or one priv esc every day. Some days I'd get none and some days I'd get two or three. The labs were trying technically and mentally, they challenge you to learn more and apply it.

There will be times in the labs were you just can't get something to work, and you'll be tempted to just go to another machine. Sometimes this is a good idea, give yourself a break from a problem and work on something else. However, it's easy to get into a habit of machine hopping. Machine hopping is dangerous, if done too often your progress will stagnate and you'll feel like crap. Try to keep hitting that system with everything you have until you get something that will lead to it's compromise. If you're still stuck after hours and hours, re-do your enumeration and see if you've enumerated all the possible protocols and services behind them.

My favorite system in the labs was dotty, it was challenging and I used some new techniques to bypass some BSD quirks. I ended up getting proof on 32 lab machines. I stayed in the public network mainly. Overall all the machines are going to be a challenge, there's no free lunch in the PWK labs; you gotta put the work for that sweet sweet proof.

Flow

An important but often neglected part of the PWK labs is your own flow. By flow, I mean the standard approach you take when attacking a new machine and standard enumeration. This isn't an end-all-be-all, but it will help you from missing easy stuff and keep your methods organized.

Find the scans and tools you use often and create a standard flow that can be used for other machines. For instance, I typically would start off with nmap -sT -p 1-65535 <ip> to get a sense of what the system was doing, then ran nmap -A -p <ports> <ip> to narrow down on the services, then I would finish port scanning with a udp scan.

Once you find services open, I would use my "Attack Books" mentioned earlier to start enumerating the services. For instances with http/https I'd start off a nikto & dirb scan simultaneously. Also, you should be pasting all this information to your notes so that you don't have to re-scan or spend ages scrolling up in your terminal looking for output.

Once you get low priv access, I'd use the same method. I have a set of enumeration steps I'd take to look for known issues/weaknesses such as a cron job with bad permissions. It's easy to waste time attempting priv esc, so keep checking things and saving all relevant information.

Exam Attempt 1

My first attempt did not go well, I only fully compromised one system and had low priv access on one other. Also, I couldn't get the buffer overflow to work. It was a failure in several ways, bad time management, poor planning & execution. Immediately after time ran out, I did a debrief and wrote everything that I had failed at and everything that went well. I'd recommend that you write a debrief after your exam, it helps you know what you need to work on.

After the first attempt and with my debrief, I knew what I needed to work on. My issue was with the buffer overflow and windows priv esc. I got to work on vulnserver, it has several buffer overflow exercises which helped me a lot. Also, I hit vulnhub again with the same 6pm-12am schedule that I had used in the labs. My lab time had ended at this point, it would of been nice to go back in them. Ideally you should schedule your exam so that you'll have another week or so to practice if you fail. Failing the OSCP sucks, all you can do is go up from here.

Exam Attempt 2

My goal with the second attempt was to start with the higher point machines first when I was the freshest. First was the buffer overflow box at 25 pts, practicing with vulnserver paid off. Got proof on the buffer overflow in the first 2 hours. Then I started on the other 25 point machine, it was a fun challenge and only took another 2 hours to get proof on this one. The rest were a lot more challenging for me. Ended up getting all but one 20 point machine. Overall this attempt was much better, and my practice paid off. It's a great sight to see the pass email from offsec.

Conclusion

It was a good experience, and it's something worth while. It was about a 6 month journey for me all together with 2 months in the labs. This cert tests more than technical knowledge, it tests your will, grit, and determination. Keep trying and learning from failure, and you'll pass. Thanks for reading.

Resources

Here's a list of public resources I used during this. Hopefully you'll get some use out of them.

Good VulnHub VMs for Practice

General Guides

Priv Esc Info

Popular posts from this blog

SuperMicro IPMI Exploitation

OSSEC Privilege Escalation via Directory Traversal