Today I finally received the certificate for the OSCP examination. There goes another story about going through the OSCP journey. About the things I did wrong, slowing my overall progress. And the things I have managed to get right, ultimately helping me to pass on my first attempt.
Here I’ll follow the pattern of the exploitation steps that I’ve come to appreciate during my studies. What I’ll be covering in this post:
- Information Gathering — a few words about my background
- Exploitation — the initial preparations
- Foothold — completing the PWK labs in 1 month
- Escalation — my exam experience & tips
- Post-Exploitation — report & my documenting system using Notion linked databases feature
- Lessons Learned — the story conclusion and my plans for the future
Information Gathering
I decided to switch to the Information Security field in 2019. I was between jobs, looking for a kind of work that would bring a deeper meaning and the prospects of constant self-improvement to me. That’s when I decided to try myself in the Information Security area, for as long as you learn to persevere while putting in all the hours to your studies and work, you will eventually develop your skills to become really good at what you do in this field. And the constantly changing scenario in this area of work will make sure you will stay on your toes and always have room for growth.
I started doing Bug Bounty in 2019 with my husband but constantly found myself lacking at every step of the process, potentially slowing down the progress of my hacking family team. In 2020 when I found out about the Offensive Security’s certifications prerequisites by reading online reviews, I was completely blown away by what the people were saying about it. I knew it was what I needed to be able to upgrade my skills.
Exploitation
I began the preparations about a year ago by purchasing a VIP subscription on HackTheBox. Slowly I was able to solve the challenges and ended up rooting almost all of the available machines at the time (around 160), even briefly entering the Top 100 Hall of Fame with my team. Even though I have learned a lot, I’ve never noticed that I had fallen into a rabbit hole somewhere along the way. Yes, identifying the rabbit holes is one of the most important skills you can develop on the OSCP journey, but it really comes with experience and careful self-observation. My advice here would be to stick to the well-established scope of the certification, and also put a strict time limit on your studies, otherwise, the sheer amount of the available content and its depths are all too easy for a newbie to get lost in.
My aim was to prepare for the OSCP, and I have been straying ever further away from it, trying to complete the CTF challenges instead of building up my methodology for a more real-life-oriented pentesting approach used by Offensive Security in their labs and exams. So I postponed my OSCP lab purchase, realizing that I would not be able to reap any benefit from this experience with the CTF-ish mindset of “overthinking”, and have spent the next few months trying to adapt to the “Try Harder” mindset.
As I completed almost everything available on the HTB, documenting most of it along the way, I moved on to the greener pastures, to the Virtual Hacking Labs, TryHackMe, and Proving Grounds Practice. I really can’t recommend these resources enough, for training and establishing a solid methodology. If you have to choose where to start, TryHackMe is made for beginners, guiding and explaining almost everything you need at the start, VHL is comparable to the earlier (and easier) OSCP experience — great for establishing enumeration methodology and manual exploitation skills, and Proving Grounds is the current state of affairs at Offensive Security, get there whenever you feel confident about your enumeration and exploitation game and hone your skills! I have also completed Tib3rius and the Cyber Mentor courses on the Privilege Escalation. It was the vector I found myself lacking a lot at the beginning, then it became one of my favorite ones.
Establishing an Initial Foothold
In February I was feeling ready enough so I purchased 1 month of PWK beginning in the middle of March. A month might not be enough if you are just getting started, but as I have a tendency to get carried away, already taking quite a while to get here, constraining myself in a tight time limit was really motivating. Time was running short, so when the lab time began I dove headfirst into the practice. That month in the Offensive Security labs really helped me level up my skills. Every day was an exam simulation for me as I was spending the whole day hacking my way into the provided internal network of the labs.
I ended up completing the labs rooting every system that was present at the time — 70 machines. When the lab time ended, I gave myself another month for the final preparations and booked the exam for the 25 of May. I spent this time on the Proving Grounds to keep the pace up and trained the Buffer Overflows by reading the corresponding section of the PWK PDF and practicing it in the dedicated TryHackMe room, these repetitive exercises have helped me complete the Buffer Overflow part in the exam in less than 40 minutes.
Privilege Escalation
My exam began at 11 A.M. I read a lot about other people’s exam experiences on Reddit so I wasn’t counting on passing on the first try. This way I wasn’t really feeling nervous or excited, just calm and steady. I was determined to see it through and give it my best. My plan was to go for the more difficult machines (both 25 pointers first) while I was still feeling sharp and thinking straight. This way about 8 hours later I got enough points to pass the exam.
My strategy changed throughout the months of preparations, but here is the one I found to be the most efficient.
Enumeration
Start with the full scan with the Rustscan, a faster Nmap alternative. This command will perform the complete service scan in less than a minute, and the results will quickly show a few of the points of interest, like outdated software or service versions to check out:
sudo rustscan -a IP -- -A -sC
I used to rely on Autorecon a lot during my preparations, but ended up not using it during the exam, as the volume of the output gets too extensive.
- The exam machines are designed to be more confusing and overwhelming than the labs, it’s more about getting creative connecting the dots, as a piece of information you find in one place sometimes must be put to use in another to work. The challenge here is keeping track of a large amount of information whilst also being thorough.
Perform the services enumeration using the step-by-step methodology you developed during your preparations.
- My methodology is a mix of the information I found on the Internet (mainly the HackTricks by Carlos Polop, who is also the creator of the awesome PEAS Privilege Escalation Enumeration scripts) and my own bits I’ve added throughout my training.
- It’s mostly about finding the outdated versions that are likely to be vulnerable while taking notes on the presence of any custom out-of-the-ordinary content — Information disclosure like forgotten comments in the page source or configuration files, everything that exposes usernames, credentials, webroot directory, etc.
- Download and document every piece of information that you find as the attention tends to get worse as the exam time flies by.
For the Web information-gathering part, I use the combination of Feroxbuster and FFUF, both are able to recursively scan the directories at an incredible speed. These two content discovery commands have helped me on numerous occasions:
ffuf -recursion -c -e '.htm','.php','.html','.js','.txt','.zip','.bak','.asp','.aspx','.xml','.py','.log','.json','.old' -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://IP:8080/FUZZferoxbuster -u http://IP/ -x htm php html js txt zip bak asp aspx xml py -r -o 80-ferox.txt -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -t 100
Exploitation
By this point, you should have a sufficient amount of information for the exploitation phase.
- Try the publicly available exploits found on the Internet with the version identified earlier —
[service name] exploit. More often than not the exploits might require some basic modifications on your part, so be comfortable reading and editing the strategic places in code like the system commands. - Try logging in using the credentials you’ve gathered so far. Use and reuse every possible combination. Brute force only if getting desperate.
- Have a list of reverse shell one-liners alternatives. Not every system command will work in an intended way, so you better help yourself with a backup plan here.
Escalation
After getting the initial shell, whether you’re on a Windows or Linux target, the escalation vectors you’re enumerating for will be different.
- I’ll always start with a PEAS enumeration script, but at the same time look at the main strategic points of interest manually as the automatic tools might sometimes overlook some important piece of information.
- Get experienced with the Linux and Windows filesystem defaults during your preparations, this way your pentester’s intuition will be able to help you during the exam. As usual, it is expected that you research all the privilege escalation vectors by yourself for maximum productivity.
Post-Exploitation
Post-Exam: Report
Take your time checking whether you have documented all the required steps thoroughly by paying close attention to the exam guidelines. Take the report seriously. I used the Offensive Security Exam Report Template in Markdown by Noraj and the report turned out just great with its help. Make sure to take the screenshots for every relevant step of the exploitation.
Pre-Exam: Organizational
Now I’ll take some time talking about the organizational part. I found that a tidy and more minimalistic setup works best for me, so I prepared the templates for the exam in Notion beforehand, each of the pages following the same pattern I used here in my post, starting with the Information Gathering → Exploitation for the Initial Foothold → Privilege Escalation. I created a directory for each of the 5 systems on the Kali following the same name pattern as in Notion and left a separate tab for each of them in the same terminal. This helped a bit with the information overflow that otherwise multiple terminal screens, open folders, and infinite browser tabs eventually tend to cause in the long run.
My Note-taking system
As for the Note-taking system in general, I found that the one that is working for me specifically is the one that is able to interconnect the pieces of information from the different sources without making a mess out of it. I used to rely on the Notion’s search function only, but as the amount of data I was adding into this program was growing by the day, the harder it became to quickly localize any particular query I was looking for.
Now I use a separate database for each Hacking platform such as HackTheBox, TryHackMe, Proving Grounds, etc. To quickly see the correlations between the topics I use the master Tags database, where I take note of every technology, technique, or attack vector that I find relevant to the current scope of research. In order to link a tag in any database, you just have to add a property to it by choosing in the database options “Add Property” → Property Type “Relation” → Choosing the Tags database, to create a relation between two or more databases.
You can create even more complex outputs with the “Rollup” property. In the example below, the articles from my Knowledge Base database with the same tag as the technology present on the vulnerable system (in the case of the HTB Feline box they are the Apache Tomcat, SaltStack, Docker) will be displayed automatically whenever you add them.
The image below displays the general view of my Tags database, where you can quickly see where a tag is being used. Then going to any of the dedicated pages will display all of the information gathered about a resource.
In the case of the WordPress tag, seen in the image below, the Reference section is a Knowledge Base database entry containing the general pentesting tips on WordPress, and the rest are my writeups on the different training platforms where the exploitation of WordPress is involved.
The same database correlation can be reused in different tables of the same database. In the image below, you can see that I separated tags into the main phases of exploitation for the HackTheBox database. Going into the search bar you can quickly access any of your content. As I have around 150 HTB boxes documented here and say I want to review only the boxes from the famous TJNull’s OSCP list which I marked with the OSCP-prep tag, I only need to type OSCP into the search bar, this will output the 25 results that I have in this case, sorted by OS type and difficulty.
Separating all the recurring commands of each major exploitation step into a single page for the OSCP scope helped me saving time and many clicks per day. Every entry is behind a toggle that can be opened and closed at any time to keep it compact.
You can see in the image below that after expanding a toggle dedicated to the Windows Post-exploitation, I can access any links I left to more detailed explanations from my main Knowledge Base database (OSCP Windows PrivEsc link here leads to my notes on the Tib3rius course I mentioned earlier. As I don’t always need all of its contents, leaving a link to the article is enough.) and my step-by-step methodology, checklists, and other useful data.
The visual differences from the vanilla Notion (I use the purple gamer-style theme) and other useful functionality such as multi-tabs or the ‘Always-on-top’ button are from the Notion Enhancer. The icons I use are mainly from the icons8 website or Pinterest.
Lessons Learned
Key takeaways:
- Get while the getting’s good. Practice to gain as much experience as you can before the PWK labs and the OSCP exam, but don’t overthink/overdo it, the certification is considered entry-level in the Penetration Testing area for a reason.
- Time is precious, so develop a meaningful note-taking system that can work for you, not against you. As the Roman philosopher Seneca said, “Luck is what happens when preparation meets opportunity.”
- Learn how to prioritize. Separate the wheat from the chaff. You are the one to decide how much of your time to spend on this, and how much on that. You must decide what to pursue and when to Try Harder™, and when it is wiser to let go.
- Circumstances change, and so can you. Enjoy yourself and make this experience change you for the better. It’s a marathon, not a sprint, so learn how to entice yourself into sustainable, productive activity along the way.
As for my plans, I’m going for the OSEP certification next as I’d like to learn more about the Active Directory attacks and Red Teaming in general. So thank you for reading and hope to see you next time!
