Give me six hours to chop down a tree and I will spend the first four hours sharpening the axe.Abraham Lincoln
Newbie to Oscpian journey encludes OSCP exam preparation( PDFs,Videos, Articles etc) and lab time with Offensive Security Lab, setting your own local lab(with vulnhub machines) and HTB. In this journey you will experience lots of excitement, pain, suffering, frustration, confidence, and motivation where learning will be constant.. You can achieve OSCP Certification and become an OSCPian after cracking 5 machines within 23:45 hours. In this you have one big limitation which is you can use metasploit in only one machine . There are many ways for practice and making yourself comfortable with the environment. Once you are confident in your pen-test skills after practicing in labs, you can take the exam.
Things Required for OSCP Preparation :
- Programming Skills (Understanding of exploit working)
- Understanding of Linux OS
- Strong Networking Knowledge
- Understanding of Security Concepts and last is
- Out of Box thinking to approach your problem
Now Lab Time :
I purchased the 30-day lab with the material. One thing I didn’t like about this is you will spend the first month going through the material which gives you a realistic 60-day lab time. But hey, that’s life. A Summary
- I read the PWK material twice.
- I pwned 29 machines in the lab in the 30 days.
- Pay attention on what each machine is trying to teach you.
- I focused on easy machines then tackled the hard ones like Payday, Gh0st, Sufferance and Pain
- I didn’t touch Buffer Overflow on Labs.
From getting the OSCP material to taking the exam, it took me 3 months because of some medical problem in family. Other than that my problem was I didn’t know if I was ready or not because I found some of the recommended vulnhub and hackthebox machines difficult. Also, with HTB some of the OSCP practice machines would only be online for a week and I only had a couple of hours a day if I am lucky so it felt like I am rushing so I can learn before the box goes away next week. If you are in this situation perhaps focus on trying to pwn the machine your practicing on the first three days then watch ippsec’s walkthrough. You need that hands on practice and don’t rely on just watching videos and reading walkthrough.
How I approached The Exam :
If you don’t know the grading, you need 70 points to pass. There are 1×10 point machine, 2×20 point machines and 2x 25 point machines.
- Practically, Nobody can work for 24 hours because of natural limitation. I need 6 hours to be functional so that gives me around 17-18 hours.
- Battle-plan: you need one. With 18 hours, I didn’t want to use any automation tool for scanning or finding vulnerability because of their output.
- First I approach BOF machine and in background i run all the scanning commands.
- While the scanning was going on in the background, i pawned Buffer Overflow machine.
- After BO, I started working on 25 pointer then after 2x 20 pointers.
- So like this I own 4 machines in just 5-6 hours. It was “balle balle sawa sawa” for me. 😉
- But you know story doesn’t go so smooth and if it is OSCP then thats not going to happen without hurdles.
- last machine which is 25 pointer, i spend 6 hours of fighting with that machine i couldn’t able to exploit it. at last after so much struggle when nothing comes in my mind i fired metasploit and pawned that too.
What the Exam Machines are like :
1×10 pointer : this is easy boot to root machine. There will be a lot of ports open similar to Metasploitable but look for the unique service in a unique port. That took me 10 mins.
2×20 pointer : These will be similar to HTB machines such as October, Popcorn, Shocker, Beep.
2×25 pointer : One is Buffer Overflow and the other is a slightly harder, rabbit holed filled machine. something like Giddy, Jeeves.
Tips That Will Help You During The Exam :
- Background scanning is a must so you don’t waste time.
- Buffer Overflow is an easy 25 points. If you practice with SLMAIL, FreeFloat FTP and Brainpan you should get this.
- Rabbit Holes. The 25 pointer and 2×20 pointers are filled with it. Reading g0tm1lks Alpha walkthrough will help you manage this. If you are getting no-where and repeating the same commands expecting a different outcome, you are in a rabbit hole. I fell in this trap with my 25 pointer and spent 4 hours after BO on this single machine and didn’t even get low-priv, so I accepted my defeat for now and ended up moving on to the next box.
- Metasploit. Manage the use of it. After moving on from the 25 pointer rabbit hole, I was able to pwn one of the 20 point boxes without Metasploit. I then moved to the other 20 pointer and tried all the possible non Metasploit options. No dice. So I checked out the 10 pointer to make sure Metasploit is not required. 10 mins later, pwned without Metasploit. So I can now use Metasploit on the other 25 pointer.
- Priv Esc: Remember, they want you to use a specific technique. Enumerate and Enumerate and Enumerate :_ “which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null”_ If you don’t see a compiler such as GCC, you know it’s probably not going to be a kernel exploit. So enumerate and use LinEnum.sh or Linuxprivescchecker.py. I found on one of my 20 point boxes it only perl and wget, so I was looking for priv esc related to perl. The other 20 pointer had GCC, so I googled a linux exploit, 2 minutes later I am root.
I didnt reinvent the wheel. I used their standard template and geared it towards my findings. With all the screenshots and how to’s, it was about 50 pages. Make sure you take plenty of screenshots and take notes because they are expecting you to write down how you compromised the machine in a step by step fashion so it can be repeated.
What the Proctoring is like :
Apart from expecting you to login 15 minutes before to prep, it is non-intrusive while doing the exam. Their video feed will cut after a couple of hours which they will ask you to restart the camera, they want you to tell them when your stepping out and that’s about it. I think all of this is fair game. I stepped out after I knew I passed for around 3 hours as the kids were calling, when I came back they just reminded me to let them know.
Level of OSCP Certification :
Remember that this is a beginner Offensive Security Certification. They are not expecting you to know web attacks such as bit flipping or LFI PHP Info. Techniques that they teach you in the course should be sufficient just alter it to the machine you are up against. That doesn’t mean only focus on the course material, definitely expand your knowledge, read write-ups and watch Ippsec’s videos. Don’t expect and machines that require you to do crazy hacks. I believe all the exploits they want you to use are all in ExploitDB. Biggest thing is Enumerate and enumerate well! Remember that there is a way in these machines, you just have to find it.
Newbie To OSCPian – Journey Continue
Lastly, I dont think i m smart because I passed in first go without any pentest experience. Your are not going to find me coming 1st in CTFs, what I am though is persistent and disciplined to learning. I enjoy learning IT and IT Security. It becomes almost a hobbie and something I look forward to doing. So if you want to pass, studying and learning shouldn’t be a drag to do, rather something you enjoy.
If you are planning to do the exam soon, good luck and study hard. Thanks for reading and hope you get something good out of this and become a newbie to oscpian ;-).