From (Almost) 0x0 to OSCP: My Journey to become OSCP
On the 17th January 2021, I received one of the best news in my life yet, I had successfully passed my OSCP Exam! What started out as a step of faith to take on the OSCP certification turned out to be one of the best decision that I made during the lockdown due to the CoVID pandemic. The choice allowed me to step into the field of Penetration Testing and go deep on it.
In this blog post, I hope to share both my experience, as well as tools or platforms that I have used to prepare myself for the exam. I will also share how I went from a person who was relatively new to IT (2+ years since starting on my Information System degree in SMU), and had little background on Cybersecurity, to becoming an Offensive Security Certified Professional (OSCP). However, before I share, let me talk about what is this OSCP.
OSCP is a professional certification offered by Offensive Security and it is well-known, respected and required for in many cybersecurity jobs that has responsibilities within the area of penetration testing and vulnerability assessment.
However, to get this certification, one must take a 24-hour proctored examination, given 5 machines to root (which means to gain full access and control as administrator of the machine). Each Machine has a certain points assigned to it and to gain the full points, we need to root it. Another 24-hour is given after the exam ends to write a report on the penetration testing done on the network of 5 machines. To pass this, the report needs to be submitted and a total of 70 points must be earned in this exam. The exam is mentally, psychologically and physically demanding.
One can see why this is a difficult and yet quite coveted certification. Unlike many other exams, this one is 100% hands-on and it really tests your knowledge of what you learnt through the course and at the same time, your ability to apply it in real life and try harder.
A little bit about me before taking OSCP…
Before I jumped into the whole experience for OSCP, I just want to share how the level which I came in prior to registering and even preparing for the start of the PWK course itself.
My main motivation behind the decision to tackle OSCP was after an experience I had in school. I was exposed to the area of cybersecurity during a Red Team Boot Camp organised by my school’s WhiteHat Society, I was intrigued and wanted to learn more about Cybersecurity. From there, I did my own self-learning and one of the areas that really intrigued me was the concept of Red Teaming. The excitement of finding vulnerabilities in systems excited me. I wanted to learn how I could find these vulnerabilities before the real bad guys out there do. Hence, I wanted a way that I could jump into the deep end and learn more. (Yes, there is a difference between Red Teaming, Pentesting and Vulnerability Assessment but that’s not the point of my post)
With that in mind, I decided to not go for an internship during the summer break of my 2nd Year and that I would pour out my time at home to study and prepare first before I sign up for the course. Then, CoVID came and it became an opportunity in the crisis. A message in my church really spoke to me at that point of time about how I could seize the opportunities found in this pandemic crisis (if you are interested check it out here). As I evaluated, the lockdown gave me even more time at home and I decided that this was the best chance to dive deep. With that, I signed up for PWK course which would start my journey to OSCP.
Remember I said, I would share what level I was at? Well… this was me when I signed up for OSCP:
- Started learning my first programming language (Python) in 2019, during a module in my freshmen year
- Limited knowledge about Linux and Bash scripting (I only knew the very basic commands)
- Limited Computer Networking knowledge (prolly just the TCP model, and the different topologies)
- Limited knowledge on the different Protocols that would be common.
- Was a
noob in HTB.
Well, on the bright side, I wasn’t afraid of the hard work to come and I knew this was what I wanted to do. So…
T-14 days to start of PWK course for OSCP
After registering for the course, I immediately went online to find out ways to prepare before I start on Day 1 of the PWK course. I knew I had a big gap to fill in terms of the foundational knowledge and skillset. One of this article I found was this:
A Detailed Guide on OSCP Preparation - From Newbie to OSCP - Checkmate
If you are a newbie in Penetration Testing and afraid of OSCP preparation, do not worry. Even I was once an amateur…
While this was a preparation guide to the older version of OSCP, this was a good guide on where to start and how to prepare before taking on the course itself. I went to places like OverTheWire to learn and practice using linux commands. Watching videos for buffer overflow like this one and this one. I also spend time to try out Starting Point on HackTheBox. I watch videos on Computer Networking to brush up and refresh my understanding on Networks and security with relations to Networks.
Day 1: Start of PWK Course
3rd May 2020. The arrival of my course material. I was like a child opening up his Christmas present on boxing day. I was excited and ecstatic to start. Coming in with little experience, I knew that there was no shortcut for me. While it was really tempting for me to just skimp through the material and move on to the labs quickly as suggested and done by many. I decided on day 1 that I would religiously go through every single topic in the course material so that I can make sure I got all my concepts and understanding right. I also knew that if I was going to do this, I will religiously finish all the course exercises because doing so and completing 10 unique labs will earn me the extra bonus 5 marks. Little did I know that would be a really wise decision that I made on day 1…
With the pandemic locking us in our home, for me, this was really a great opportunity. Outside of the time that I needed to spend with family, and also on video conferences with people, I could spend every other hour undistracted on the course material, making sure I understand and learn and unlearn and relearn my understanding of the different topics. I spend about 6–8 hours a day on the computer, learning on the different topics.
Day 45: Stepping into the Labs
17th June 2020. While my original goal was to finish the course material within 30 days, I overshot it and took almost 45 days to finish it. It did hurt my plan but I was confident that those extra days spent to understand and learn all the techniques and skills taught was worth it. With that, I attempted my first entrance into the Lab environment.
At first glance, I was a little lost. Then, I used nmapAutomator to do a quick scan on the network for machines that I could reach using nmap. This helped to identified the machines that I could start working on.
I was really stuck for a while and I couldn’t figure out how to break into the machines and get the root. Even though it was pretty simple, the other enumeration scans done manually was still daunting and I was spending a lot of time, trying to figure out what I was doing wrong with my enumeration. However, I stumbled across an amazing tool written by Tib3rius which till now I still use in playing at HTB as well. Check this out:
It's like bowling with bumpers. - @ippsec AutoRecon is a multi-threaded network reconnaissance tool which performs…
It is an amazing tool that helps to automate the initial enumeration that are necessary and helped to cut down a lot on the manual work. Run this, and read the results and begin to think about your next few steps on enumerating the machine itself. When I first use this tool, I made the rookie mistake of treating this as a cure-all method and heavily relied on just this to give me all the information about the machine.
Even though it has automated the scan, we need to be aware and understand what the information it feeds us could mean about the box. I was caught off-guard especially in machines where the directories could be found only on wordlist that were much bigger than the one use by default in AutoRecon. So do take note on that when using tools like this!
As I spent every waking hour possible (of course I still lived my life and dealt with responsibilities in life) on the Labs, I progressed from 1 machine rooted every few days to 1 machine rooted per day and sometimes 2–3 machines in a single day. Slowly but surely, I gained the momentum and the rhythm of rooting machines. The forum which is only accessible by its students was especially useful to learn more about the different ways people approached the boxes and to get hints when we are truly truly all out of options. However, a word of caution is that do not get caught up with how fast people are rooting the machines in the forums. Sometimes, some people just have to flex that they rooted the machine in x hours or like they rooted x boxes today, etc. Don’t be discouraged by it and don’t get caught being competitive about it. This is a course. Take your time, learn what you need to and read the good stuff that will help you advance.
Then, I came across the machines that were known as the stuff that were made out of nightmares. I shall not name these machines, but they definitely required something more out of you… whether it was an eye for detail, a perseverance to keep researching and trying different methods you would google online or just the ability to adapt and change your perspective towards the machine. These machines were so well-known, that probably when you read the forums, you will see their names and even the amount of questions for these boxes. In the time that I had in the labs, I managed to root all of them and it was a great and humbling experience. In total, I only rooted about 32 machines out of 54 machines (I am sure there are more) and managed to gain access to the IT Department network (that’s 2 out of 4 network?)
Last 1 Week in the Labs
In my last 1 week of the Lab time, I spent most of it finishing any remaining course exercises that I did not finished like the extra practice for the Buffer Overflow topics and also to make sure that I had screenshots for every single unique lab machine that I was going to do. I also started putting my lab report together while doing the checks and managed to successfully compiled my lab report. I had book my exams earlier, for it to be 1 week right after my Lab session would end so that whatever I had learnt in the span of the course will remain fresh in my head and I could apply it and take on the exam. Little did I know, that I had underestimated the difficulty of 24-hr exam and how unprepared I was.
In the week leading to my 1st exam attempt, I had prepared several cheatsheet that I could use like commands that I would use almost every time, such as commands that would give me reverse shell, that I could copy and paste easily. Here are a list of reference material that I had decided I would use to help me in the exam:
A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and…
15 Ways to Download a File
Pentesters often upload files to compromised boxes to help with privilege escalation, or to maintain a presence on the…
Checklist - Linux Privilege Escalation
Checklist for privilege escalation in Linux
Basic Linux Privilege Escalation
Before starting, I would like to point out - I'm no expert. As far as I know, there isn't a "magic" answer, in this…
These are just some of the stuff I referred to in my first exam attempt.
Exam Attempt 1
14 August 2020. The day of the exam. I was pretty nervous. Woke up earlier than I intended to and decided not to sleep in. I went out to pitch a little at my usual spot and took a breather. Then, I had a good breakfast and showered and sat down at working desk 30 mins before the exam was about to start. This is mainly because prior to taking the exam, there is a process of verification and the proctors will require you to verify your identity and do a look around on your environment.
The first 15 mins sitting there, I was shaking with both excitement and at the same time, I was nervous. I wasn’t sure what to expect but I knew my gameplan: Take out the BOF machine and go for the shortest path to 70 points.
At 12 pm, the email came in and after verifying, I quickly run AutoRecon on the 4 other machine and started tackling that one machine which is BOF. At first, things were going smoothly, but when the exploit did not work, I panicked and took a longer time to troubleshoot than I expected. In total, I took about 4 hours to root the BOF machine. By then, I was pretty tired as I did not expect to go on a wild goose chase as expected. However, seeing how my AutoRecon scan results were done, I decided to review on those results first before heading for dinner. I attempted several ways to enumerate but I was just trying to find vulnerabilities blindly, without trying to understand the web application.
I decided to take a quick dinner break and returned back to the exam. The easiest box was rooted then at this point, I already had about 35 points. However, for the rest of the exam, I was pushing myself to the extreme, taking only one or two breaks (excluding toilet or food break). However, I did not managed to successfully find any footholds to the other 3 machines. At 5am in the morning, I was burnt out, tired. I decided to catch some snooze and try again later.
At 10am, I was convinced that it was unlikely that I could find anything anymore. I already lost the will to fight to continue and was just blindly throwing everything I knew on this botched attempt. At 11.30am, I decided to give up on the exam and ended the exam early.
Botched it… What is next…?
At this point, I was really discouraged, upset and disappointed. I learntthat I was not ready for this and clearly the exams was really difficult. Even if I knew the course material and went through all of it, the lack of real life practice and a methodology in how I tackle machines was real. I knew that this botched attempt was due to the pride that I had and the underestimation of OSCP exams. At first thought, I told myself, maybe I am just not ready or I made the wrong decision to take the certification now. However, with encouragement from both people that were close to me, and also from the people I met from the InfoSecPrep Channel in discord, I decided that I will try harder and this time try smarter again.
The road to my second attempt would not be an easy one. The lockdown in Singapore was gradually lifted, and my summer break from school was over. This meant that I had to prepare for my OSCP in my first term of my 3rd year in SMU. It meant juggling between my modules (which included a research module) and OSCP and all my other commitment at the same time.
I started out my second wind, my second preparation phase by subscribing to HTB VIP and follow the retired box list by TJNull (here) for my preparation. I would aim to root 1–2 boxes every week and begin to watch also Ippsec video walkthroughs to learn from his methodology and compared how he approach the box and how I approach the box and begin to understand why certain things are important to note. Here are some of the write-ups I wrote:
Road to OSCP: HTB Series: DEVOOPS
In my road to OSCP certification, one of the common to-dos as many before have done in preparation for the exams was to…
Road to OSCP: HTB Series: Active Writeup
Continuing on my road to OSCP certification, I am in the midst of preparation for the exams in January. Part of my…
I also got Tib3rius courses on Udemy here:
Windows Privilege Escalation for OSCP & Beyond!
Tib3rius is a professional penetration tester who specializes in web application hacking, though his background also…
He also has a course for Linux privilege escalation, do check it out if you need to! For me, I think I was good with Linux Privilege escalation, so I only opted for Windows Privilege Escalation class. Other tools I found that are useful for Priv Esc:
More info on the project? Click logo Want to contribute? Go here for instructions…
GTFOBins is a curated list of Unix binaries that can used to bypass local security restrictions in misconfigured…
Both of these references are perfect if you want to exploit SUID binaries to priv esc.
In addition, thanks to Cptsticky’s help, I also began to explore and build my own methodology on how I should approach these machines and how I can improve my own checklists and approaches when dealing with something I have never seen before.
I also started joining CTFs (Capture The Flag Competition) organised on CTFTime (seriously, follow them on twitter) and also THM (TryHackMe) Cyber Advent 2 and use it as an opportunity to learn more and practice more as well. I realised that this also taught me how to research and find exploits or ways to capture flags in the challenges. This skill is extremely useful as the ability to be resourceful and googling stuff will really help you to understand what is it that you are dealing with. Instead of just googling for exploits for versions, take it to another level by googling what these technology do in the machine. Understand the system, the application before you try to break it. This was what I learnt from my HTB, CTFs and THM experiences.
Out of all these, I begin finding love for doing this. It was less of because I have to learn this to pass OSCP, but it became something that I just do because I really enjoy it. I enjoyed reading up on things even unrelated to what OSCP teaches like on how heap exploitation works, ransomware, etc. I think that was really what set my experience apart from the preparation leading to my first attempt.
Weeks counting down to my 2nd Attempt
In the weeks counting down to my 2nd Attempt, I was in my winter break. I spend time trying to work on boxes whenever I was taking a break from my research. I also took time to write a tool to help generate the commands that you could just copy and paste from the terminal to be used immediately. Do check it out here (Disclaimer: Not tested on the exam platform. So use at your own risk though this one does not exploit anything but generate payload only):
Tool Script to generate dynamic reverse shell command given the Host IP Address and Listening Port. Tool Script to…
Do note that it is a work-in-progress and I only used it merely as a script to generate commands for the languages so it is still really raw but feel free to contribute if you feel this is a tool that will help make life easier for you and other OSCP students in the future.
In the midst of my preparation, I also came across an internship opportunity in a Junior Penetration Tester role. Thanks to what I learnt in OSCP, I could enter into the technical interview with confidence and was able to understand and answer the questions given. Through the interview, I met Konstantin who is now a mentor/supervisor in my internship. He also shared and gave me more advice how I could learn more and get better in my skills and attitude as a pentester. With the advice given, and the preparation made, I was ready to face my next attempt at the exam. This time, I knew what to expect and I was not going to take the attempt lightly.
Exam Attempt 2
In my second attempt, I came up with a plan on how I wanted to tackle this attempt. I planned 3 hours for the BOF machine and then I would take a good 15 mins break, to stretch, rest and relax before I came on the machine. I also made sure that after every 1.5–2hours (I used a timer to help me), I will stop, assess my condition and if I was too tired or stuck, I would take a 10–15 mins break again to wind down and cool off. I would go walk outside or just go lie down and use my phone to watch some baseball videos to wind down or I would just pray ( yes prayer works.) Lastly, I planned to sleep in this exam attempt. I made sure I had a cut-off time, and I would sleep at least 6 hours.
On 7th January 2021, I woke up at 10am and prayed and had my breakfast. After that, I spend my time making sure that I had all the templates for my note-taking and all the references I need. I also made sure that my working area was tidy and ready. I then played my guitar, rested and relax myself till about 2 which I then went to shower and sat down 30 mins prior to the start to get ready for it.
At 3pm, the email came in and after the same process of verification, I was off to the races. This time, I forgot about running any scans in the background on the other 4 machines and proceeded to work on the BOF machine first. It took me about 4+ hours. Of course ideally, it should have taken me a shorter time, but I was really dumb and I did not check a step properly before proceeding to generate my shell code. Hence, leading to a long delay on my BOF machine. So my advice is really: practice BOF until you are familiar with your steps and the methodology to exploit it.
Right after that, I realised I did not run the scans on the machines so it gave me a good excuse to run the scans and step away from the machine for a much needed dinner that my friends got for me. I had my dinner, watch some baseball video and headed back into the exam when the scan was completed. I proceeded to touch on the machine with the next most points, but within the first hour, I knew I was stuck on it. At first, the fear of history repeating itself struck me, but I decided to shake it away and move onto another machine. I didn’t make much leeway until I moved to the easiest box which I pretty much rooted straight away within the hour.
By then, it was 12am. I took time out to had my supper and decided that I really needed to pray again. It gave me clarity and more than that, it gave me peace despite the lack of progress, similar to my first attempt.
Once I was done, I came back and worked on the 3rd machine. Then, as I googled more, I found a way to obtain the information I needed to gain my first foothold. I was ecstatic. At 1+ am in the morning, I knew I had grown and improved compared to the last attempt. I had broke through. Although, I was planning to sleep at 2am and wake up at 8am to continue, the breakthrough gave me the adrenaline to push through and eventually rooted my third box. This put me at a good 55points.
At this point, I knew it was time to sleep (It was 3.30am already). I had to make a decision to sleep or to keep pushing while the adrenaline was still in my blood and keeping my head clear. However, I looked at the 4th and 5th machine, and it seems like all my previous attempts to gain footholds on it was not working. I was desperate. But somehow, I knew I had to sleep and take a break and that will help me change my perspective on the problem. So I decide I would sleep from 4+am to 9am.
At 8.30am, I woke up, washed up, and made a hot cup of Milo (thats hot chocolate for my western friends). I sat in front of my laptop and looked straight at the 4th machine (which was the 20 point machine). After trying to trace my enumeration process in the notes I took to get back into the state of mind, I realised the horrible and extremely careless mistake I made during the user enumeration. Hence, once I got that right, after repeating the steps I had done the night before, I managed to gain the foothold. I was shocked but also relieved that it was one more step to the guaranteed pass. The foothold I gained would at least put me at a 65 points mark.
The last few hours felt like a frenzy. With the closeness of my score, I knew I had to get this. However, I was unsuccessful and I kept trying. Eventually, I ended the exam with 3 rooted machines and 1 user in one machine. This puts me in a spot where I was THIS close to pass…
BUT, the saving grace was found in the fact that I decided to do my lab report faithfully which would grant me the 5 bonus mark which is exactly what I needed to pass my OSCP exam! When I realised this, I quickly worked on my exam report and spend my time after I slept to look through my Lab report to made sure I got everything.
With the exception that I spent many hours (or days) troubleshooting with the tech support on the upload issues, I finally managed to submit both my exam and lab report successfully. (Thank God and thank you Offsec.) My advice to everyone taking OSCP now: CHECK YOUR LAB REPORT SIZE. Offsec should have updated their exam guide with regards to the upload file size. (again thank you Offsec).
Now, it was a waiting game. I must admit, it is nerve-wrecking for the fact that there is no absolute proof that I would pass. It would take a miracle for me to pass this with the help of my lab report because that assumes that I did not make any mistake on my 900+ pages (mine is excessive for sure) lab report which included my workings on the course exercises as well. In addition, this is also assuming that my exam report was satisfactory and no marks was deducted from it. The wait was painful.
Then, on the 17th January, the best news came. I passed the exam and am now an Offensive Security Certified Professional (OSCP)!
Afterword and What is next
Now, the main part of this article was about what I feel and experienced through the exam. It is by no means an easy exam and definitely not one that can be done without practice or experience. While I am happy that I have achieved the certification, I think the significant part about the course is the process of learning and facing and overcoming the obstacles throughout the course. Whether it was a lack of knowledge, a lack of an eye for details or an exploitation process which you had no idea existed, it is all about the grit that you need to have to handle this OSCP course.
For me, it was also a process where I got to work on my character as well. Many times, the temptation to just read the writeup for the retired HTB boxes or to just ask for help straight in the forums was real. However, to gain the training experience fully, I had to resist and depend on my own belief system. I think having an inquisitive mind is good but a lazy mind that only wants answer (or root) is the greatest obstacle that will stop you from passing this exam.
Now that I have passed OSCP, I believe what is next for me is to keep honing my skills and growing it by gaining exposure from my internship and at the same time from reading more about the different methodologies and techniques used out there in the real environment. Once I feel much more confident, I would aspire to move on to tackle OSWE and OSEP and the new course to gain my next certification as a OSCE. However, I think that is still a faraway goal and certainly not on my to-do list right now (maybe in 5 years time?). Right now, I just want to keep learning, and keep growing until I am truly ready for the next step.
Here I would like to give special thanks to different persons and group of people for their help and advice:
Firstly, Soli Deo Gloria. I thank God and give this certification to Him. I believe that truly it is God who made this possible, and it was what was preached by my Pastors that got me to take the step of faith to take on this monster of a course called OSCP. More than that, despite having to prepare for my second attempt, I still managed to get good results for that term. For that, I want to thank God and also my pastors for preaching the Word.
Secondly, I want to thank the people who supported me throughout the entire journey. My church friends who bought me food and stood with me, my friend who looked out for me, making sure I was focusing not purely on this but all other area of my life, my friends in school for supporting me and encouraging me and helping me out with school too. I want to thank my mentor Konstantin for his advice and also his faith in me. I also want to shoutout to CptSticky for his awesome help and encouragement after my first failed attempt.(Met him on InfoSec Prep Discord channel).
Lastly, I want to thank Offensive Security for preparing an amazing course that allowed me to break into a field that I am strongly passionate about and for giving me to the opportunity to build a foundation that will help me be confident and to build upon as I progress in this field.
Also, if you want to read my writeups on HTB retired boxes:
Louis Low - Medium
Continuing on my road to OSCP certification, I am in the midst of preparation for the exams in January. Part of my…
I will be updating more contents such as write ups, etc.