A Script Kiddie’s guide to Passing OSCP on your first attempt.

Your probably thinking, “man not another I did OSCP” blog or rant. Yes, there are a lot out there and everyone wants to share their experience. But you are probably looking at doing your OSCP exam in the near future and probably a beginner at Offensive Security. HTB has your labelled as a Script Kiddie.

So am I. At the time of writing I am 21.5% my way to “Hacker” status here at HTB.

I am writing this because I want to assist anyone pass the exam and earn it – first go. But if you don’t pass it first go, don’t get discouraged. Take it as a learning experience, figure out why you failed, improve your process and try again.

A Bit of background
A husband with a young family, two kids under the age of three and working full time. If you can relate, you know you don’t get much time to yourself. But, rethink it and you do. I studied when the kids go to bed and travelling to and from work. Total time per day would be 1 to 2 hours. Weekends, forget it unless the kids are out with my wife. At the end of the day, the more time you commit to practicing like any skill the better you will get. Don’t make excuses that you don’t have time, because you do.
My IT skill level: I’ve been in Sys Admin, Network Engineer and Infrastructure Engineer for more than 10 years. I am not going to tell you the certs I have acquired throughout the years because when it comes to OSCP, it doesn’t matter. The main thing is being passionate about Offensive Security with the willingness to learn and putting the time in. OSCP is a different beast to all other certifications.

OSCP was my introduction to Offensive Security or Ethical Hands on Hacking.

OSCP Material and Lab
I purchased the 90-day lab with the material. One thing I didn’t like about this is you will spend the first month going through the material which gives you a realistic 60-day lab time. But hey, that’s life. A Summary
• I read the PWK material twice
• I pwned 29 machines in the lab in the 90 days
• Pay attention on what each machine is trying to teach you
• I focused on easy machines then tackled the hard ones like Payday, Gh0st, Sufferance and Pain
• I didn’t touch Buffer Overflow

After Lab time
• I didn’t purchase extra lab time because it’s too expensive. Instead I practiced using abatchy’s recommended OSCP like Vulhub VM’s. If you couldn’t do these on your first go, don’t worry. I couldn’t either. abatchy's blog | OSCP-like Vulnhub VMs
• I focused on Buffer Overflow. Don’t ignore Buffer Overflow. This is a 25 pointer in the exam and it should be an easy 25 points. I practiced by spinning up a Windows VM (free download from Microsoft Microsoft Edge Developer website - Microsoft Edge Developer) and installing these recommended OSCP like Buffer Overflow Practice apps (https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/). You don’t need to do Savant, because it’s too advanced for OSCP BO. Focus on SLMAIL, FreeFloat and Minishare. I practiced for a good month understanding every step. Make sure you also download Brainpan from VulnHub because this machine teaches how to handle A LOT of bad characters – which is something that you will need to know for the exam. I broke down the BO into a 5-6 step process to help me remember and probably did it more than 30 times.
• I then purchased 1 year subscription of HTB and practiced using these machines OSCP Practice - Machines - Hack The Box :: Forums.

From getting the OSCP material to taking the exam, it took me 10 months taking a break between Christmas/New Years. My problem was I didn’t know if I was ready or not because I found some of the recommended VulnHub and HTB machines difficult. Also, with HTB some of the OSCP practice machines would only be online for a week and I only had a couple of hours a day if I am lucky so it felt like I am rushing so I can learn before the box goes away next week. If you are in this situation perhaps focus on trying to pwn the machine your practicing on the first three days then watch ippsec’s walkthrough. You need that hands on practice and dont rely on just watching videos and reading walkthroughs.

How I approached the exam
If you don’t know the grading, you need 70 points to pass. There are 1x10 point machine, 2x20 point machines and 2x 25 point machines.
• Realistically, I don’t have 24 hours because I need sleep. I need 6 hours to be functional so that gives me 18 hours.
• Battleplan: you need one. With 18 hours, I need to automate all the scanning so I’m not wasting time. My plan was;
◦ Start an automated scan on the 25 and 20 point machines using Sparta or this great tool from @21y4d (nmapAutomator) OSCP Exam review "2019" + Notes & Gift inside! - Off-topic - Hack The Box :: Forums. I had Sparta configured prior, but I tested 21y4d’s tool out here at HTB and it worked well. I ended up using this in the exam – thanks @21y4d!
◦ While the scan is running in the background, focus on Buffer Overflow.
◦ After BO, focus on the 25 pointer then after 2x 20 pointers.
◦ I left using Metasploit right at the end once I have attempted to exploit all the machines without it.

The Exam
• My start time was very early in the morning because my brain is at its peak the first few hours (I could think clearly). And I am already up because my kids are awake. 4:00 am.
• It took me 11 hours to get the passing mark. 4 boxes.
• It took me 40 mins to get Buffer Overflow.
• I ended up getting low priv on the last machine but stopped at priv esc because I needed Metasploit which I used earlier (more on this later)

What the Exam Machines are like
1x10 pointer: this is easy boot to root machine. There will be a lot of ports open similar to Metasploitable but look for the unique service in a unique port. This took me 10 mins.

2x20 pointer: These will be similar to HTB machines such as October, Popcorn, Shocker, Beep.

2x25 pointer: One is Buffer Overflow and the other is a slightly harder, rabbit holed filled machine. Maybe Giddy, Jeeves.

Tips that will help you during the exam
• Automated scan is a must so you don’t waste time
• Buffer Overflow is an easy 25 points. If you practice with SLMAIL, FreeFloat FTP and Brainpan you should get this.
• Rabbit Holes. The 25 pointer and 2x20 pointers are filled with it. Reading g0tm1lks Alpha walkthrough will help you manage this. If you are getting no-where and repeating the same commands expecting a different outcome, you are in a rabbit hole. I fell in this trap with my 25 pointer and spent 4 hours after BO on this single machine and didn’t even get low-priv, so I accepted my defeat for now and ended up moving on to the next box.
• Metasploit. Manage the use of it. After moving on from the 25 pointer rabbit hole, I was able to pwn one of the 20 point boxes without Metasploit. I then moved to the other 20 pointer and tried all the possible non Metasploit options. No dice. So I checked out the 10 pointer to make sure Metasploit is not required. 10 mins later, pwned without Metasploit. So I can now use Metasploit on the other 20 pointer.
• Priv Esc: Remember, they want you use a specific technique. Enumerate and run this:_ “which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null”_ If you don’t see a compiler such as GCC, you know it’s probably not going to be a kernel exploit. So enumerate and use LinEnum.sh or Linuxprivescchecker.py. I found on one of my 20 point boxes it only perl and wget, so I was looking for priv esc related to perl. The other 20 pointer had GCC, so I googled a linux exploit, 2 minutes later I am root.

Reporting
I didnt reinvent the wheel. I used their standard template and geared it towards my findings. With all the screenshots and how to’s, it was about 50 pages. Make sure you take plenty of screenshots and take notes because they are expecting you to write down how you compromised the machine in a step by step fashion so it can be repeated.

What the Proctoring is like
Apart from expecting you to login 15 minutes before to prep, it is non-intrusive while doing the exam. Their video feed will cut after a couple of hours which they will ask you to restart the camera, they want you to tell them when your stepping out and that’s about it. I think all of this is fair game. I stepped out after I knew I passed for around 3 hours as the kids were calling, when I came back they just reminded me to let them know.

OSCP Expectations on your skill level
Remember that this is a beginner Offensive Security Certification. They are not expecting you to know web attacks such as bit flipping or LFI PHP Info. Techniques that they teach you in the course should be sufficient just alter it to the machine you are up against. That doesn’t mean only focus on the course material, definitely expand your knowledge, read write-ups and watch Ippsec’s videos. Don’t expect and machines that require you to do crazy hacks. I believe all the exploits they want you to use are all in ExploitDB. Biggest thing is Enumerate and enumerate well! Remember that there is a way in these machines, you just have to find it.

Lastly, I dont think im smart because I passed first go without pentest experience. Your not going to find me coming 1st in CTFs, what I am though is persistent and disciplined to learning. I enjoy learning IT and IT Security. It becomes almost a hobbie and something I look forward to doing. So if you want to pass, studying and learning shouldn’t be a drag to do, rather something you enjoy.

If you are planning to do the exam soon, good luck and study hard. Thanks for reading and hope you get something good out of this.

When I was passing my OSCP debug machine had network connectivity with all other machines. Very fast connectivity … Scanning took seconds -:wink:

Congrats on passing the exam.
Nice write-up, and I’m glad you found nmapAutomator to be helpful:)

Good write up. Congrats buddy. Enjoy :slight_smile:
I can relate myself with your background with two kids and full time job(I have one kid, my commute is horrible 2 hours to and fro).
I am not able to spend more than an hour or two in a day. With Spring and summer coming up, that’s also going to be tough.

thanks

Congratulations on passing it ?

Thanks for taking the time to read and messages.
@21y4d - comparing your tool to Sparta, I found yours to be better. Not saying Sparta is not great, the way you layout the results is easier to digest in the terminal. Plus I find Sparta runs all the commands concurrently which causes minor performance problems, yours is sequential. Have you tried adding SearchSploit to your tool? I have this running on Sparta but output is not as clean.

@blacksh33p said:
Thanks for taking the time to read and messages.
@21y4d - comparing your tool to Sparta, I found yours to be better. Not saying Sparta is not great, the way you layout the results is easier to digest in the terminal. Plus I find Sparta runs all the commands concurrently which causes minor performance problems, yours is sequential. Have you tried adding SearchSploit to your tool? I have this running on Sparta but output is not as clean.

Glad you like it :slight_smile:
I didn’t add searchsploit because I run nmap vulners for CVEs based on Service flags and versions, which should do the same job as searchsploit.

Thanks for the write-up.

Dear blacksh33p

Consistent approach and clarity. Surely that gave you success. Well articulated write up on OSCP.
Really guiding.

Pl also give details of the vmware workstation image. Additional tools required to be installed, etc. Whether updates are ok or will hamper buffer overflow.

Type your comment> @singham said:

Pl also give details of the vmware workstation image. Additional tools required to be installed, etc. Whether updates are ok or will hamper buffer overflow.

Hi singham
The VMware workstation image I used for buffer overflow only had Immunity Debugger with Mona.py installed. Other than that, slmail, ftpfreefloat and minishare applications. Ftpfreefloat was the main application I used to practice. It was a Windows 7 machine so I just had to remember that my offsets will change after reboot due to ASLR.
I wouldnt bother with updating the buffer overflow VM because you will need to snapshot the base install so when the evaluation expires you can restore.

Congratulations. Very nice write-up. I have a question about your following comment

Also, with HTB some of the OSCP practice machines would only be online for a week
Do these machines get retire and that's why they are online for a week? Even with your 1-year subscription, you still don't get access to these machines?

@blacksh33p Thanks for this write-up. I used it to pass the OSCP exam in the past week. The biggest takeaway I had was to have a strategy for moving through the targets. That helped me tremendously. This was my second attempt. Having the prior experience, and your advice, helped me to manage my time. I had a 3 PM start time, took some breaks, and went to bed at 1 AM knowing I had about 65 points (55 points + partial credit for low-priv user on a 25 point target). I knew then I only had to wake up, and have 8 hours to take down the last 20 point target.

Hello everyone, ladies and gentlemen.
I do not work as a professional in digital security, I am a professional in maritime navigation (chief officer on the commercial fleet). But I’m 57 already, my pension is in my pocket, my granddaughter is growing up, etc. I would love to start working as a system administrator, pentester, etc. (it’s time to finish working in the fleet, but not to lie at home on the couch), but employers need “young and experienced” - an interesting wording. I have no doubt that I will pass this exam (I will prepare and pass, 800-900 $ for preparation is not large money), but what’s the point of not getting a job later?
So I will continue to have fun on HTB - a hobby is a hobby.
And I wish good luck to the youth …

@ZloyObezyan I think your best bet would be to go as a freelancer or start your own business as sysadmin/pentester.

i like this flood very much, thanks

Type your comment> @zalpha said:

@blacksh33p Thanks for this write-up. I used it to pass the OSCP exam in the past week. The biggest takeaway I had was to have a strategy for moving through the targets. That helped me tremendously. This was my second attempt. Having the prior experience, and your advice, helped me to manage my time. I had a 3 PM start time, took some breaks, and went to bed at 1 AM knowing I had about 65 points (55 points + partial credit for low-priv user on a 25 point target). I knew then I only had to wake up, and have 8 hours to take down the last 20 point target.

@zalpha - very nicely done! Having a game plan is key!

@kamransb said:
Congratulations. Very nice write-up. I have a question about your following comment

Also, with HTB some of the OSCP practice machines would only be online for a week
Do these machines get retire and that's why they are online for a week? Even with your 1-year subscription, you still don't get access to these machines?

@kamransb - sorry for the late reply. You dont have this issue anymore because they have changed the format here at HTB. Good luck if you attempt the exam.

Great analysis of the OSCP, I went into it earlier this year and overthought everything which was a major reason why I didn’t pass. Now I’ve spent a bit more time in the industry and started to think more logically about the entire process I feel that I would be better suited for this exam maybe in the next year or so. Experience is a must!

Thanks again!