A Script Kiddie’s guide to Passing OSCP on your first attempt.

Your probably thinking, “man not another I did OSCP” blog or rant. Yes, there are a lot out there and everyone wants to share their experience. But you are probably looking at doing your OSCP exam in the near future and probably a beginner at Offensive Security. HTB has your labelled as a Script Kiddie.

So am I. At the time of writing I am 21.5% my way to “Hacker” status here at HTB.

I am writing this because I want to assist anyone pass the exam and earn it – first go. But if you don’t pass it first go, don’t get discouraged. Take it as a learning experience, figure out why you failed, improve your process and try again.

A Bit of background
A husband with a young family, two kids under the age of three and working full time. If you can relate, you know you don’t get much time to yourself. But, rethink it and you do. I studied when the kids go to bed and travelling to and from work. Total time per day would be 1 to 2 hours. Weekends, forget it unless the kids are out with my wife. At the end of the day, the more time you commit to practicing like any skill the better you will get. Don’t make excuses that you don’t have time, because you do.
My IT skill level: I’ve been in Sys Admin, Network Engineer and Infrastructure Engineer for more than 10 years. I am not going to tell you the certs I have acquired throughout the years because when it comes to OSCP, it doesn’t matter. The main thing is being passionate about Offensive Security with the willingness to learn and putting the time in. OSCP is a different beast to all other certifications.

OSCP was my introduction to Offensive Security or Ethical Hands on Hacking.

OSCP Material and Lab
I purchased the 90-day lab with the material. One thing I didn’t like about this is you will spend the first month going through the material which gives you a realistic 60-day lab time. But hey, that’s life. A Summary
• I read the PWK material twice
• I pwned 29 machines in the lab in the 90 days
• Pay attention on what each machine is trying to teach you
• I focused on easy machines then tackled the hard ones like Payday, Gh0st, Sufferance and Pain
• I didn’t touch Buffer Overflow

After Lab time
• I didn’t purchase extra lab time because it’s too expensive. Instead I practiced using abatchy’s recommended OSCP like Vulhub VM’s. If you couldn’t do these on your first go, don’t worry. I couldn’t either. https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms
• I focused on Buffer Overflow. Don’t ignore Buffer Overflow. This is a 25 pointer in the exam and it should be an easy 25 points. I practiced by spinning up a Windows VM (free download from Microsoft https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) and installing these recommended OSCP like Buffer Overflow Practice apps (https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/). You don’t need to do Savant, because it’s too advanced for OSCP BO. Focus on SLMAIL, FreeFloat and Minishare. I practiced for a good month understanding every step. Make sure you also download Brainpan from VulnHub because this machine teaches how to handle A LOT of bad characters – which is something that you will need to know for the exam. I broke down the BO into a 5-6 step process to help me remember and probably did it more than 30 times.
• I then purchased 1 year subscription of HTB and practiced using these machines https://forum.hackthebox.eu/discussion/612/oscp-practice.

From getting the OSCP material to taking the exam, it took me 10 months taking a break between Christmas/New Years. My problem was I didn’t know if I was ready or not because I found some of the recommended VulnHub and HTB machines difficult. Also, with HTB some of the OSCP practice machines would only be online for a week and I only had a couple of hours a day if I am lucky so it felt like I am rushing so I can learn before the box goes away next week. If you are in this situation perhaps focus on trying to pwn the machine your practicing on the first three days then watch ippsec’s walkthrough. You need that hands on practice and dont rely on just watching videos and reading walkthroughs.

How I approached the exam
If you don’t know the grading, you need 70 points to pass. There are 1x10 point machine, 2x20 point machines and 2x 25 point machines.
• Realistically, I don’t have 24 hours because I need sleep. I need 6 hours to be functional so that gives me 18 hours.
• Battleplan: you need one. With 18 hours, I need to automate all the scanning so I’m not wasting time. My plan was;
◦ Start an automated scan on the 25 and 20 point machines using Sparta or this great tool from @21y4d (nmapAutomator) https://forum.hackthebox.eu/discussion/1655/oscp-exam-review-2019-notes-gift-inside. I had Sparta configured prior, but I tested 21y4d’s tool out here at HTB and it worked well. I ended up using this in the exam – thanks @21y4d!
◦ While the scan is running in the background, focus on Buffer Overflow.
◦ After BO, focus on the 25 pointer then after 2x 20 pointers.
◦ I left using Metasploit right at the end once I have attempted to exploit all the machines without it.

The Exam
• My start time was very early in the morning because my brain is at its peak the first few hours (I could think clearly). And I am already up because my kids are awake. 4:00 am.
• It took me 11 hours to get the passing mark. 4 boxes.
• It took me 40 mins to get Buffer Overflow.
• I ended up getting low priv on the last machine but stopped at priv esc because I needed Metasploit which I used earlier (more on this later)

What the Exam Machines are like
1x10 pointer: this is easy boot to root machine. There will be a lot of ports open similar to Metasploitable but look for the unique service in a unique port. This took me 10 mins.

2x20 pointer: These will be similar to HTB machines such as October, Popcorn, Shocker, Beep.

2x25 pointer: One is Buffer Overflow and the other is a slightly harder, rabbit holed filled machine. Maybe Giddy, Jeeves.

Tips that will help you during the exam
• Automated scan is a must so you don’t waste time
• Buffer Overflow is an easy 25 points. If you practice with SLMAIL, FreeFloat FTP and Brainpan you should get this.
• Rabbit Holes. The 25 pointer and 2x20 pointers are filled with it. Reading g0tm1lks Alpha walkthrough will help you manage this. If you are getting no-where and repeating the same commands expecting a different outcome, you are in a rabbit hole. I fell in this trap with my 25 pointer and spent 4 hours after BO on this single machine and didn’t even get low-priv, so I accepted my defeat for now and ended up moving on to the next box.
• Metasploit. Manage the use of it. After moving on from the 25 pointer rabbit hole, I was able to pwn one of the 20 point boxes without Metasploit. I then moved to the other 20 pointer and tried all the possible non Metasploit options. No dice. So I checked out the 10 pointer to make sure Metasploit is not required. 10 mins later, pwned without Metasploit. So I can now use Metasploit on the other 20 pointer.
• Priv Esc: Remember, they want you use a specific technique. Enumerate and run this:_ “which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null”_ If you don’t see a compiler such as GCC, you know it’s probably not going to be a kernel exploit. So enumerate and use LinEnum.sh or Linuxprivescchecker.py. I found on one of my 20 point boxes it only perl and wget, so I was looking for priv esc related to perl. The other 20 pointer had GCC, so I googled a linux exploit, 2 minutes later I am root.

Reporting
I didnt reinvent the wheel. I used their standard template and geared it towards my findings. With all the screenshots and how to's, it was about 50 pages. Make sure you take plenty of screenshots and take notes because they are expecting you to write down how you compromised the machine in a step by step fashion so it can be repeated.

What the Proctoring is like
Apart from expecting you to login 15 minutes before to prep, it is non-intrusive while doing the exam. Their video feed will cut after a couple of hours which they will ask you to restart the camera, they want you to tell them when your stepping out and that’s about it. I think all of this is fair game. I stepped out after I knew I passed for around 3 hours as the kids were calling, when I came back they just reminded me to let them know.

OSCP Expectations on your skill level
Remember that this is a beginner Offensive Security Certification. They are not expecting you to know web attacks such as bit flipping or LFI PHP Info. Techniques that they teach you in the course should be sufficient just alter it to the machine you are up against. That doesn’t mean only focus on the course material, definitely expand your knowledge, read write-ups and watch Ippsec’s videos. Don’t expect and machines that require you to do crazy hacks. I believe all the exploits they want you to use are all in ExploitDB. Biggest thing is Enumerate and enumerate well! Remember that there is a way in these machines, you just have to find it.

Lastly, I dont think im smart because I passed first go without pentest experience. Your not going to find me coming 1st in CTFs, what I am though is persistent and disciplined to learning. I enjoy learning IT and IT Security. It becomes almost a hobbie and something I look forward to doing. So if you want to pass, studying and learning shouldn’t be a drag to do, rather something you enjoy.

If you are planning to do the exam soon, good luck and study hard. Thanks for reading and hope you get something good out of this.

blacksh33p
OSCP | CEH | CCNA Security and R&S | Sec+ | MCSE

Tagged:

Comments

  • When I was passing my OSCP debug machine had network connectivity with all other machines. Very fast connectivity ... Scanning took seconds -;)

    m4rc1n

  • Congrats on passing the exam.
    Nice write-up, and I'm glad you found nmapAutomator to be helpful:)
  • Good write up. Congrats buddy. Enjoy :)
    I can relate myself with your background with two kids and full time job(I have one kid, my commute is horrible 2 hours to and fro).
    I am not able to spend more than an hour or two in a day. With Spring and summer coming up, that's also going to be tough.

    sesha569

  • Thanx for write-up! Congrats!

    YanTayga

  • thanks

    peek

  • Congratulations on passing it 👍
  • Thanks for taking the time to read and messages.
    @21y4d - comparing your tool to Sparta, I found yours to be better. Not saying Sparta is not great, the way you layout the results is easier to digest in the terminal. Plus I find Sparta runs all the commands concurrently which causes minor performance problems, yours is sequential. Have you tried adding SearchSploit to your tool? I have this running on Sparta but output is not as clean.

    blacksh33p
    OSCP | CEH | CCNA Security and R&S | Sec+ | MCSE

  • > @blacksh33p said:
    > Thanks for taking the time to read and messages.
    > @21y4d - comparing your tool to Sparta, I found yours to be better. Not saying Sparta is not great, the way you layout the results is easier to digest in the terminal. Plus I find Sparta runs all the commands concurrently which causes minor performance problems, yours is sequential. Have you tried adding SearchSploit to your tool? I have this running on Sparta but output is not as clean.

    Glad you like it :)
    I didn't add searchsploit because I run nmap vulners for CVEs based on Service flags and versions, which should do the same job as searchsploit.
Sign In to comment.