Updated: Feb 13, 2020
Hey, thank you for stopping by. This is my first blog post, hope I can be helpful to someone. I have tried to be as informative and detailed as possible.
OSCP Rules can be found here.
Before I start with my OSCP experience, let me give you a brief description of my academic background. I have an undergraduate degree in Electronics and Communication (ECE) and currently doing my graduate studies in Cyber Security. I'm in no means an experienced programmer or have any in-depth knowledge of subjects in Computer Science. I can understand and code in C and Python, nothing else. So it's safe to say I am an intermediate level programmer.
In my last year of undergraduate, I had a subject named Network Security, which covers the basic topics of cryptography. This subject inspired me to explore the field of Cyber Security, and here we are.
After my undergraduate, I started working as a Cyber Security Analyst in one of Big 4's. While working in the day and participating in CTF's at night I learned how to use a few Cyber Sec tools such as Burp and NMAP. After 6 months into the job, I decided to resign from my job and continue with my studies.
On Jul 3rd I bought 2 months of the lab and got access to the lab on Aug 4th. Throughout the course I used the provided 32 bit Kali VM, it's not necessary to do so.
Note: DO NOT UPDATE THE PACKAGES
I had to reset my VM's quite a few times, and also you will not need to update the system at all.
As soon as I got the mail, I hopped onto the network and ran an NMAP scan on every single IP in the public network.
I was told that Humble, Ghost, Sufferance and Pain were toughest machines. Also, I was advised by everyone to not go sequentially based on the IP address. But I did. I spent 5 hrs on the first machine and couldn't crack it. I went to the OSCP forum to see if I'm doing something wrong.
Some comments read, "This is one of the easiest boxes". Well, that's not a good start.
Next I picked up Mike, 2 - 3 hrs in, rooted it. I spent a lot of time just checking other machines. By the end of the day (like 3 AM early morning), I managed to crack 2 machines.
This time I took the advice and randomly picked an IP from the list. 30 to 40 mins I rooted it. I ran hostname and it read Pain. That felt good, real good. The adrenaline rush is strong when you root a machine.
End of Week 1.
I had cracked around 11 machines and also had unlocked Dev. Network. I'm not even joking, that whole week I hardly slept 4 hrs a day. While exploring the network I stumbled upon Humble, every day I used to spend at least one hour on this machine and yet couldn't root it.
End of Week 2.
This was a slow week, could only finish 5 machines. The previous week's sleepless nights to their effect. I slept like a log for the whole week. once again I went back to the machine I started my lab with and finally rooted it. It was actually very simple, I was just overthinking and did not notice some of the crucial information from the scans and enumerations. Ralph was a very fun machine, really enjoyed rooting it.
End of Week 3.
This was by far the most productive week in my life. My day started at 6 AM and ended by 10 PM. A fresh and calm mind is very essential to do labs. I was satisfied this week cause I had rooted Ghost and Sufferance. By the end of the 3rd week, I had cracked 26 machines.
End of Week 4.
Humble was annoying me now, I told my self "You have avoided this for very long now. Finish this, then move to the next one". By this time, I was way confident than what I was in Week 2. After 2 sleepless nights, Humble fell. The irony of life is that one that stresses you so hard is named Humble.
Unfortunately, I was traveling abroad and I had only one month more left. I couldn't spend much time on the machines.
I scheduled the exam on Sep 19th, thinking If I fail, I'll have 2 more weeks of lab time to practice.
Till Sep 18th.
So far, out of 43 public machines, I had rooted 35 of them and unlocked both IT and Dev Networks. And regarding Metasploit, I used it on only one windows machine. On 18th, I went through Buffer Overflow videos and some other important concepts, made a minimal checklist and slept.
The best tool for Linux Priv Esc is this LinuxPrivChecker . This should be more than enough for Linux Privilege Escalation.
You can find almost all of the tools I used during my lab and exam here.
I used GitHub to make notes. After I rooted any machine, I used to create a file containing the explanation and exploits used. And backed it up when ever I made a modification to my exploits or rooted a box. That way, its backed up and organized as well.
Apart from that I maintained an Excel Sheet containing Hostname, OS, IP Address, Kernel Version and Exploit Used.
I cannot stress this enough, do not get demotivated if you spend a lot of time on a machine and were not able to crack it
At any moment you find yourself stuck, take a step back and look through your enumerations
Do not hesitate to use the Forum, it is very very helpful. They are maintained quite well and there will not be any spoilers
Do not stress yourself up, take some time for yourself. You are not a robot to work 24/7
I'm sure you would have been told this by many people, talk to your close ones. It surely helps
Last but not the least, do not leave even one port untouched. If you find a two ports with the same service running on it, it means it's there for a reason
It was 19th Sep and my exam was to start at noon, by 11.45 AM I had logged on to the proctoring procedure. An instructor was waiting for me. He asked me to show him the room and identity. The process takes 10 mins and the proctoring software is not too harsh on your computer, it's a Chrome Extension.
Right at 12, the count down began. I had 23 hrs and 45 mins to score a minimum of 70 marks to pass. You will be provided with a console that will contain all the necessary details such as points for each machine and instructions.
As usual, I ran my scanner script on all the IP's.
I started with buffer overflow, and I was stressed, like real bad. Two and a half hours in and I hadn't got a shell yet. I told myself, okay another 30 mins more if not, move to the next machine. I started from scratch once again, apparently, I had missed a bad character. Rooted it. 25 marks in my pocket.
Now I was freaked out, I told the proctor and took 15 mins to break. I grabbed some coke and sat down for some time.
I went through the scans and there were a lot of ports open on all the machines. Honestly, I hate Windows exploitation. Its annoying cause the exploits half of the time don't work too reliably and they always have way too many ports open. Here, I had to deal with 3 windows machines which were enough to annoy me.
I went through poking all the ports on all the machines, these machines were way different from the ones in the lab. By now I was 4 hrs into the exam and I had cracked one machine. I went to the 10 point machine, spent an hour with no results. I was freaking out even more now, 6 hrs in and no results yet.
I took a step back, deleted all my notes except the NMAP scans and started over. I went port by port, 25 mins in and I had rooted it. 35 points in my pocket now.
Moved onto the 20 pointers, these were Linux machines. Within the next 1 hr, I had rooted both of them. I followed the same principle, go port by port.
By now I had 75 points and it was enough to pass and had more 16 hrs more left. So I moved on to the last 25 pointer machine. 15 mins and I had user shell, NT-Authority\NetworkService. Spent 2 more hrs on this machine and couldn't root it.
As of now I was 11 hrs in and I hadn't taken even one screenshot although I had submitted all the flags. I spent the next one hour, resetting all the machines and re-exploiting them while taking all the necessary screenshots to make the report.
I had 12 hrs more left and 85 points, way more than enough to pass, so I spent the next 8 hrs on that last machine. I used MSF on this machine yet couldn't root it. It was a completely patched Windows Server 2012 machine. Hot fixes applied till May of 2019. By now I was completely exhausted, I took a final check to see if I had submitted all the flags and taken all necessary screenshots. 8 AM of 20th September, I told the proctor that I am done with my exam, he warned me "Once the exam is closed, your VPN access to the exam will be revoked and cannot be reactivated. Are you sure?". I agreed and closed the session.
I slept for the next 8 hrs, woke up at 4 in the evening and sat on to finish the report. I submitted my report on 21st early morning at 5 AM.
The next day at around midnight on 23rd I got a mail saying I had passed the exam.
Same as the ones for the Lab
Google is your best friend
Enumerate each and every port. If you don't find anything, it basically means you haven't enumerated it properly
Do not panic, relax, give yourself a break and take it step by step
Yes machines are way different from the ones in the lab, by the methodology still remains the same
That was my experience with OSCP, please make sure you utilize you Lab time wisely unlike me. I wish I had spent more time on other networks such as IT and Dev. Feel free to let me know how you felt about my journey. By no means I am expert just a beginner, but don't hesitate to ask me anything, I'll be more than happy to help if I can.
Email Address: firstname.lastname@example.org
All the very best,
Windows Privilege Escalation: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
Linux Privilege Escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Alpha Machine Write Up: https://forums.offensive-security.com/showthread.php?t=4689
OSCP Notes: https://github.com/Optixal/OSCP-PWK-Notes-Public