How I passed the OSCP with 100+10 points
The Offensive Security Certified Professional (OSCP) certification is a highly regarded and challenging certification that focuses on penetration testing. The OSCP exam is a 24-hour hands-on penetration testing challenge in which you need to compromise 3 machines and 1 Active Directory network. Following the exam you have 24 hours to write a report that explains your steps as if you were reporting to a client.Summary:
The exam tests both your methodology and technical skills. Have 2 sets of notes 1 for methodology and another set for technical stuff, how to exploit, SQL inject etc. When you learn a new attack add it to your technical notes. If your methodology fails adjust your methodology notes. DO ALL the course exercises including the capstone exercises (Hint Hint) first and then try the lab networks. The 3 practice exam networks OSCP A-C are the best prep to feel how the exam works. Try do to them without consulting the discord. Get your 10 bonus points, if nothing else for the piece of mind. DON’T try to speed run and cut corners. Those corners you cut will probably be on the exam. On exam day don’t over caffeinate and make sure you have food prepped. When writing the report all you need is the Offsec writeup template. Include all screenshots and explain your steps. Als explain how to remediate in the appropriate section. My report was 80 pages. Getting my OSCP took about 5 months of studying in my free time spread over almost 2 years.Story
Here is my story and hopefully it gives you some insights on how to pass:1990s:
Back when I was a kid we used to hack stuff on the internet out of curiosity. Rival crews would social engineer each other and deface each other’s websites. It was good clean fun ;) Looking back, compared with today it was very easy, no one knew much about security and servers would be unpatched for months (sometimes years). People exposed all kinds of unneeded services to the wide-open internet. Aside from the .com scammers in Silicon Valley, the internet wasn’t serious business like it is today. It was more like an alternate reality game. The stuff we did back then would get you seriously hemmed up today. It was an exciting time to be alive.2019:
I switched careers to information security. Defending against attackers kindled something in me again. I discovered cyber ranges (Legal places where you could hack servers) like hackthebox and tryhackme. The more things change the more they stay the same, my methodology I used back in my youth still applied today: 1. Enumerate 2. Find vulnerabilities 3. Exploit (using a POC or sometimes manually). 4. ??? 5. Profit! (not really) While fun, these cyber ranges are more akin to an amusement park than what it is like to ply your sk1llz on a real network. I needed something else. Wouldn't it be cool to leaglly do this on real networks and get paid?Fall 2021:
I decided to obtain the OSCP. My work wouldn’t pay for it because I’m a blue teamer, so I ponied up the money for 60 days of lab time. I attempted to watch the videos and skimmed through the PDF. But I really wanted to just hack. The old lab range was a lot of fun. It had the feel of the early days when I was a kid. Vulnerable servers everywhere, with some back stories and easter eggs. Networks that you had to pivot into. The lab was shared so you could sometimes see the tracks left by others. Sometimes machines you were working on would get reset and you would have to start all over. It felt very authentic, sysadmins sometimes reboot servers. Sometimes another crew would see the same vulnerabilities you saw and beat you to it. I honed my old school methodology and consulted forum posts and discord when I got stuck. At the end of the 60 days, I pwned 69 (nice!) out of the 75 machines. Feeling pretty good I took some time off for the holidays and scheduled my exam for late January 2022. This turned out to be a problem because I had to take the new exam which included the active directory network. There were a few active directory networks on the old lab range, but they weren’t realistic IMHO. The old exam range was full of old machines (there were even windows XP machines on there) meaning to privesc you just had to use kernel exploits. This was a mistake because I didn’t practice many privesc methods.Jan 2022 - Exam Attempt 1:
I scheduled my exam to start at 9am. I slept fitfully the night before so I kind of started in a hole. I logged into the proctoring software downloaded my VPN and got to work. Having a proctor was a strange feeling. I enumerated using autorecon. Reviewed the output and decided to tackle a linux machine first. By 11am I got my first user flag and tried for another few hours to privesc to no avail. I decided to tackle the AD network next. As it turned out I was unlucky enough to draw the “impossible” AD set. This impossible set caused a bunch of fury online which led to some people being banned from offsec courses. Spent 4 hours banging my head against that wall. After that I Pivoted to a standalone windows machine and got user flag almost instantly and then attempted to privesc for another few hours. Tried the last machine and couldn’t get in either. I threw in the towel around 9pm at night 12 hours after I started. I couldn’t understand it, I was able to pwn on average 1 machine a day during my free time after work and family obligations. What happened? I think some of it was the new exam format was not beta tested very well. It looked NOTHING like what I encountered in the labs. But the harsh reality is my methodology was lacking. By prematurely consulting hints I robbed myself of practicing the course material. By consulting the forums, I also robbed my self of the “malding” necessary to successfully hack independently. Pentest clients aren’t going to give you tips on how to hack their machines, that’s what they pay YOU to do.The rest of 2022:
I ended up getting a new blueteam job and didn’t have time to devote to offensive studies. During my job search I interviewed for blue/red/purple positions. I even got an offer as a junior pentester without the OSCP. But it was for junior pay. Why should spend all this time to get a cert that would lead to a pay cut? I decided to focus on other things in my life. Lockdowns were done, time to go outside. Later that year, I won some free months of proving grounds (Offsec’s cyber range) at a CTF so I started occasionally popping boxes again maybe once or twice a month for the rest of the year.Summer 2023:
I heard that Offsec revamped the PWK (now called PEN-200) and people were saying good things about it. I paid for 1 month of lab time to go through the material and get 10 bonus points before I attempted the exam again. To Offsec’s credit they did a really good job on the material. It’s more up to date and you can spin up VMs to practice what you are learning. They do a crawl-walk-run approach. Much more effective than a skimpy PDF and videos narrated by a chain smoker. TIP: Ensure you do the “capstone” exercises, because you will see some of those techniques on the exam. Offsec will test you on the hardest stuff they teach you. I ended up getting another 1 month lab extension and completed the MedTech and Relia networks as well as the OSCPA-C practice exams.Exam attempt 2:
Started at 9am. I decided to be better organized. I setup separate directories on my filesystem for each machine and started autorecon for each one. I focused on the AD network first and got a foot hold within an hour. I had a hard time pivoting so I switched to a linux box. The linux box was like a HTB easy box so it took me around 50-60 mins to completely pwn. Switched to a windows box. Foot hold was easy but the privesc was hard. Took a few hours to pwn It was like a HTB medium box. Switched to the last standalone box. This one was a doozy and I had to do a pretty in depth manual exploit. Privesc was tricky too. Felt like a HTB hard box. By 5pm I had enough points to pass (60+10) so I took my family out to a celebratory dinner. 6pm I decided to go for 100 points and tackled the AD portion. Got Domain Admin by by 9pm, reran my steps to make sure I didn’t miss anything (I did, so that was a good move) and ended the exam by 10pm. I slept in the next day at 7am ate a big breakfast and started on my report at 10am. I just used the offsec report template and finished it by 5pm. It was 80 pages most of which were screen shots. Went to a concert, came back read the report one last time, 7zipped it up and sent it off.Results:
And now we wait. Defcon 31 was the next weekend. So I really wanted to have the results by then so I could brag about it and maybe parlay myself into a well paying offensive role. The waiting was worse than the exam. I got the results on Weds night right after I checked into the hotel in Vegas. W00t! Unfortunately, the offensive side of the industry is in a contraction phase, some big names in the industry laid people off right before hacker summer camp. A lot of people I talked to wanted to get a job where I worked. Cest la vie. Maybe next year. All in all getting my OSCP took about 5 months of studying in my free time spread over 2 years. end of line.