Link Search Menu Expand Document

04 Jun 2021 | Reading time: ~15 min

My OSCP Journey

#OSCP #offsec #PWK #PEN-200

OSCP logo

Italian article available here

Table of contents

  1. Pre-course
    1. Backgrund and preparation
  2. PEN-200 Course and Lab
    1. Day 01-30
    2. Day 31-60
    3. Day 61-90
    4. Up to the day before the exam
  3. Day before the exam
  4. Exam
    1. Day one
    2. Day two
    3. Exam history
  5. Certificate
  6. Overview
  7. Useful resources
    1. OSCP general resources
    2. Working with Shells
    3. General purpose hacking resource
    4. Linux specific resources
      1. Post Exploitation & PrivEsc
        1. Methodology
        2. Cheatsheet
        3. Tools
    5. Windows specific resources
      1. Post Exploitation & PrivEsc
        1. Methodology
        2. Cheatsheet
        3. Tools

Pre-course

Backgrund and preparation

When I enrolled in the PWK course, I had worked as a software developer for 2 years and had been working as a Penetration Tester for another 2 years.
Prior to OSCP I had not yet obtained any certification, the only course I had taken was the eLearnSecurity’s PTSv4, but without attempting the related eJPT certification.

Having been self-taught for about 4 years, playing HackTheBox from a while and now working in the industry from a couple of years, I already mastered the pre-requisites suggested by Offensive Security, so I decided to enroll.


PEN-200 Course and Lab

I enrolled in the PEN-200 (PWK 2020) on the 15th of Jennuary 2021. The course then started on the 24th of Jenuary with 90 days of lab access.

Day 01-30

I spent the first month looking at the course material (850+ pdf pages and 17+ hours of video) and doing the exercises required to get the 5 bonus points during the exam. Although they were not difficult, the exercises were many and required a lot of time to be done correctly (to get the 5 bonus points the exercises must all be complete and correct), so I decided to start them from the first day.

While reading the pdf I also began structuring notes and cheatsheets to use during the exam so that I would have all the useful references and commands ready at hand.

Day 31-60

Finally after 30 days of exercises and notes writing I was able to start hacking some boxes. I decided to start the journey following the PWK Labs Learning Path and then proceed autonomously with the “low hanging fruits”.

In the meantime I took notes for each one of the machines penetrated and I wrote short writeups so that I would have an executive summary and a brief overview for each of them.

Day 61-90

During the last month of access to the lab I did the extra mile exercises and I hacked as many machines as possible, trying to maintain an average of 1 machine per day.

At the end of the lab time I finished with 64 hacked machines (out of a total of about 70), one domain controller completely compromised and access to all 3 internal networks.

Up to the day before the exam

Between the end of the course and the final exam I decided to let a month pass in order to have the necessary time to review or extend any doubts or knowledge in addition to writing the report of the lab (a complete writeup of 10 machines with different attack vector + all pdf exercises) to totalize the 5 additional points.

In this month I have followed two Udemy courses focused on Windows Privilege Escalation (“Windows Privilege Escalation for OSCP & Beyond!” and “Windows Privilege Escalation for Beginners”) and I kept rooting as many machines as possible on HackTheBox (I already had a VIP subscription) inspired by the lists of OSCP like machines that can be found on the web.

HTB_OSCP-like-machines.jpg

During each penetration test I always kept taking notes and writing writeups, in order to keep my second brain always updated and organized.

I ended up with a total of 51 rooted machines on HTB:

  • Lame - 10.10.10.3
  • Legacy - 10.10.10.4
  • Devel - 10.10.10.5
  • Beep - 10.10.10.7
  • Optimum - 10.10.10.8
  • Bastard - 10.10.10.9
  • Arctic - 10.10.10.11
  • Grandpa - 10.10.10.14
  • Granny - 10.10.10.15
  • Blue - 10.10.10.40
  • Shocker - 10.10.10.56
  • Jeeves - 10.10.10.63
  • Bashed - 10.10.10.68
  • Chatterbox - 10.10.10.74
  • DevOops - 10.10.10.91
  • Bounty - 10.10.10.93
  • Jerry - 10.10.10.95
  • Active - 10.10.10.100
  • SecNotes - 10.10.10.97
  • Access - 10.10.10.98
  • Querier - 10.10.10.125
  • Netmon - 10.10.10.152
  • Bastion - 10.10.10.134
  • SwagShop - 10.10.10.140
  • Writeup - 10.10.10.138
  • Jarvis - 10.10.10.143
  • Networked - 10.10.10.146
  • Postman - 10.10.10.160
  • Traverxec - 10.10.10.165
  • Obscurity - 10.10.10.168
  • OpenAdmin - 10.10.10.171
  • Traceback - 10.10.10.181
  • Magic - 10.10.10.185
  • Admirer - 10.10.10.187
  • Cache - 10.10.10.188
  • Blunder - 10.10.10.191
  • Tabby - 10.10.10.194
  • Buff - 10.10.10.198
  • Ready - 10.10.10.220
  • Delivery - 10.10.10.222
  • Tenet - 10.10.10.223
  • ScriptKiddie - 10.10.10.226
  • Ophiuchi - 10.10.10.227
  • Spectra - 10.10.10.229
  • TheNotebook - 10.10.10.230
  • Armageddon - 10.10.10.233
  • Schooled - 10.10.10.234
  • Atom - 10.10.10.237
  • Love - 10.10.10.239
  • Pit - 10.10.10.241
  • Knife - 10.10.10.242

To retrain my Buffer Overflow skills I also executed some exercises from the TryHackMe module Buffer Overflow Prep - Practice stack based buffer overflows!.


Day before the exam

The day before the exam I stayed completely away from the hacking world and everything related to the certification. I rested, I had company, I had fun and I tried to sleep as much as possible in preparation for the big day (sleep that actually lacked because of the pressure).


Exam

Day one

The exam started at 9am, the proctors were on point and I didn’t have any kind of problem with the VPN or accessing the platforms.

I started right away with the BOF machine (while the scans were running on the other machines) and after about 1 hour and 45 minutes (yes, it took me longer than it should have according to my schedule) I got the first 25 points without any great difficulty.

Afterwards, I decided to take a look at all the scans and tackle one of the two 20 points machines to take the pressure off. After about 3 hours I got the user and after other 45 minutes I got the full 20 points.

At that point I decided to go ahead with the second 20 points machine. After 2 hours and 30 minutes I got the user flag but from there I got stuck on the privilege escalation process for about 1 hour and 15 minutes so that I decided to try to approach an easy win 10 points machine to restore a mental balance.

The 10 points machine was really a peace of cake and it took me less than 30 minutes to root it.

After the 10 points machine I decided to try and tackle the last missing box before going back to try the privilege escalation on the second Medium machine. After about 2 hours and 30 minutes of intense enumeration I got the user and after other 45 minutes I got the root flag.

Sure to have totaled a good margin of points to pass the exam (≈90pt) I have decided to still try an hour of privilege escalation, however without success. In the remaining time of VPN access I double-checked all the notes, procedures, exploits and I took any missing screenshots.

Around 1:00 AM I went to rest for about 4 hours and at 5:00 AM I started writing the final report.

Day two

The second day was all downhill. The report (which I had already structured in the previous days) was just a sequence of copying and pasting from the notes and a bit of research for vulnerability remediation, but nothing more than that. At 12:27 I had already finished checking the report and I had already submitted it.

Exam history

08:30 - Proctoring stuff
09:00 - Exam started
10:43 - 25 points Buffer Overflow box rooted
12:35 - Lunch break (30 mins)
13:34 - 20 points box (1) user shell obtained
14:14 - 20 points box (1) rooted
16:43 - 20 points box (2) user shell obtained
18:26 - 10 points box rooted
19:30 - Dinner break (30 mins)
21:06 - 25 points box user shell obtained
22:00 - 25 points box rooted
01:05 - Rest
05:00 - Breakfast
05:30 - Started writing the final report
12:27 - Submitted the final report


Certificate

The day after the delivery of the Lab and Exam reports (01/06/2021 @ 13:12) I received the email confirming the achievement of the certification.


Overview

My experience with this course and certification has been overall positive. Although I feel that the work required to obtain the 5 bonus points is excessively time-consuming (considering that access to the lab is activated from day 1 and that it is not possible to stop it) the experience in the lab was exceptional: 70 and more machines almost all different from each other, different Active Directories, different internal networks to reach, interdependencies between different machines. It was really fun!

PDF and videos are very well structured and clear, perhaps a little too redundant in the two versions (many times the videos merely repeated things seen in the pdf without further elaboration). Not a big deal anyway.

The exam was challenging but fun. Reporting was not an issue.

The key concepts for obtaining the certification are primarily three:

  • Try harder (or rather “enuemreate harder”)!
  • Organize your notes and cheatsheet properly
  • Google is your best friend

If you can master these key concepts getting certified will be a breeze.


Useful resources

OSCP general resources

Working with Shells

General purpose hacking resource

Linux specific resources

Post Exploitation & PrivEsc

Methodology
Cheatsheet
Tools
  • Linux Local Enumeration Script: performs basic linux local enumeration, a first step in the local privilege escalation process.
  • LinPEAS: a script that search for possible paths to escalate privileges on Linux/Unix* hosts. The checks are explained on book.hacktricks.xyz
  • linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levels
  • unix-privesc-check: Shell script to check for simple privilege escalation vectors on Unix systems
  • LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks
  • LES (Linux Exploit Suggester): designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine.
  • crontab guru: The quick and simple editor for cron schedule expressions by Cronitor

Windows specific resources

Post Exploitation & PrivEsc

  • LOLBAS: every binary, script, and library that can be used for Living Off The Land techniques.
Methodology
Cheatsheet
Tools
  • Seatbelt: a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.
  • WindowsEnum: A Powershell Privilege Escalation Enumeration Script.
  • winPEAS: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
  • PowerUp: a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.
  • windows-privesc-check: Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems
  • Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
  • Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
  • Windows Exploit Suggester - Next Generation: a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.
  • Windows Exploit Suggester: compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target.
  • GhostPack-Compiled Binaries: Compiled Binaries for Ghostpack (.NET v4.0)
  • Nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
  • RottenPotatoNG: New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
  • Juicy Potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
  • UACME: Defeating Windows User Account Control
<path d="M12.2685,74.7342 L66.4215,74.7342 L43.1485,3.1092 C41.9515,-0.5768 36.7375,-0.5758 35.5405,3.1092 L12.2685,74.7342 Z" "/>


Made by 0xbro with 💜 💛