AA

Catégories

linux (2) ssh (1) hacking (2) cargo-cult-security (1)

How i passed OSCP and advices to new OSCP students

A lot of people keep sayin how difficult it is to get it ; However, I mostly disagree. OSCP is tough, but remains still an entry exam.

Having read recently a few posts with the same tone on r/OSCP, i decided to tell you how i succeeded, not to brag about myself, but to help you understand that this is doable.

TLDR : Tips to get OSCP

Here are the tips so that you don’t bother reading the whole stuff:

About the preparation : DO :

  • Enjoy studying ! Offensive Security courses are great.
  • Do study every day, not necessarily for hours, but every day. I had only 2 to 3 hours of availability each day, and that was enough. steadily better than quantity. Every day instead of burning your wings in two monthes 10 hours a day and then being dead brain.
  • Do note every steps you missed. I had a 4 colors bic stylo : green for pieces of awesomeness i found usefull but difficult to memorize, red for shit i keep missing over time, etc..
  • Do find your way to keep track because time is gold and learning same shit again because you keep forgotting them is void effort and waste of time you can't afford.
  • Do practice on Proving Ground. One box a day, when you feel like you’re running out of ammo, no need to get crazy ; just learn from the writeups, and Do note why you needed the writeup : i miss this box because:
    i keep mistaking this for that → write it in red;
    this is a new technic i had no idea about → write it in blue;
    this is an awesome command → green like a true piece of awesomeness, etc.
    • I even set up an alarm-clock on my phone: If i cannot get anything by one hour, i go to the writeup (i had no time more, fulltime job and little child so i needed to sleep first.).
  • Do keep a joyfull mind. Go on holidays, meet friends, fuck, live is beautiful, with or without OSCP.

This way you will be close to ready in 6 monthes if you start from nothing, or 3 monthes if you already have an IT / security background.

About the preparation : DONT :

  • DONT Speak to colleagues that you're dedicated in winning your cert. Some people may put pressure, even some friends may feel jealous and fear your success. Refuse pressure. Like "So dude, is it finally the big day? Still not succeeding, right, man that's suck (i know, just shut the fuck up, you hypocrite bitch), etc.;
  • DONT Overthink the situation. Just keep busy trying.
  • DONT kill yourself. Your state of mind will do more that 40% of the job.
  • DONT go to desperation while failing a box. Stop putting pressure and learn. As soon as you know you have tried all known tricks, and you don't believe in this tool and that technic → time to learn from the write-up.

Most important things in order:

  • Taking care of children,
  • Spending time with friends & girlfriend / wife,
  • Sleeping,
  • Eating & fucking ;
  • then studying OSCP.

About the exam:

  • Never forget it is an entry level. It is tough, but far for impossible.
  • Do take care of yourself. Go for frequent breaks.
  • Offensive Securit holds exploit-db. Obviously all vulnerabilities and footsteps are already referenced into exploit-db. Search for versions for each stack. Then, once all versions possible found, search exploits related to all of them in exploit-db.
  • Do not search deep. Search large, then refine, then go slowly deeper.
  • Do learn how to privesc. Tiberius courses on udemy are great.
  • Pressure will kill you. So just refuse it.

r/OSCP

I have read a lot of thinks in this subreddit, good and bad, and felt that a lot of people, me included before actually getting it, is scrolling there for reassurance, tips, and ways to improve their learning path.

I will try to give back to this sub-community a little bit of what it gave me, but also break some misleading information and advises i have read.

My background

I have been in IT for 9 years, first sysadmin and network admin, then security auditor during 3 years where most of my job was auditing configuration files and not hacking. I was a complete newbie at hacking, especially Web hacking.

As my little kid was so young, i could only work at night, from like 10pm to 11pm, sometimes 12pm or more rarely, 2am. I had also a full time job so couldn’t afford all days, and daytimes were for my child.

My preparation

I had the wrong idea that OSCP exam will be really tough and if i don’t get 10 bonus points it will be just really unrealistic. I got this wrong idea from all the failures from a lot of people mostly in r/OSCP subreddit and also because at the beginning i was struggling so much in the lab. I only pwned my first box after like 5 days. I had no idea how to privesc on windows, linux privesc only manually, so basically took i huge amount of time. Pivoting was easier (was network admin before). No understanding of buffer overflow and average understanding of AD. After three months, i had around only 24 boxes pwned. I pay a first 3 months extension because i didn’t feel ready at all.

I have created a beautiful LaTeX template on my own (totally unnecessary, but liked it better this way, wanted to do things great). I have spent a huge amount of time through all exercises. I really wanted to make sure i truly understood everything. At this time report was a huge task, things have changed by now.

Really important is build your methodology. I use Proving Grounds, one box a day, maybe 20 boxes in total (38 boxes in OSCP lab). At the beginning, most of boxes, i needed to read the writeup. I focused on intermediate ones. As i only had so few time, when i sincerely think i’m stuck, i read the writeup. I couldn’t affort to spend hours not knowing where to look. When you should read the writeup depends on a mix between searching deeply alone, and understanding that enough is enough.

For each box, i document (old still notebook / pen) the steps, what i have missed, and new tricks the box has been teaching me.

As i had too few knowledge on Windows privesc, i bought the excellent course from tiberius on udemy for like 20$.

My strategy

I have practiced a lot methodology with proving grounds boxes: I have a handbook (good old ways) one sheet, one box, with steps, tools i used, commands, traps (reverse-shell firewalled so only working with this one specific FTP port, forgot to bruteforce obvious credentials such as admin/admin, forgot to scan all TCP ports, what i missed in red, such as dirbuster, nitko for Web for instance, important commands in green, etc.

D-Day

i was lucky to benefit a whole flat of acquaintance gone on holidays. Started at 9am as this is my usual work day hour. Spending more than one hour to make this webcam work, before noticing that all i needed was Fn+F6 to switch it on. Then starting for real at more than 10am. Regarding instructions, they are really clear and precise: IP addresses are given, IP address and credential of test VM and PoC for buffer overflow. Impossible to get confused, even from a no native English reader. i mention this, as i wish i knew it before exam. Instructions are really straightforward.

After a quick time scanning, i didn’t find anything. I was fighting and enumerating over and over again… Only at 1pm i found a way to access. And this is the important part of my so-overlong message: This way was easy. Just needed to assemble the pieces from all i got from this box enumeration.

Quickly, slowly, pieces assembled, i got user account. Enumerating by cycling: ports, potential accounts, accesses, then about these accesses, authentication required? Which kind of authentication? Basic user/password ? what do i need? Both? User given by other way / service ? Version of software? Really, no more than these steps.

I quit for lunch, 1 hour break, and when i came back, almost immediately found access in the second box, and elevation was trivial and covered by PDF. At 3pm, i got potential 30 points. This is another important part of this message: Get breaks often.

I switch to buffer overflow. i did it slowly, taking my time, very slowly as this aspect was scaring me as all i knew in BoF is what is covered in courses, and done all exercises. At 6pm, i got buffer overflow working on system and user flag. At this time, all i needed was two privesc, as i have lab report, or AD set.

Against, scanning, enumerating AD set during one hour with no results. Fuck this shit i thought, i went for running, pull-ups, came back, privesc on very first machine at 8pm.

Quit for eating. As soon i came back, privesc on last standalone box at around 10pm. At this time, I was wondering if proctor would think i got help from friends as each time i quit for break/sport/eating, i came back and immediately got something.

You need to take frequent breaks, as assembling pieces is really energy consuming and focus and change mindset frequently are conflicting activities. Run, walk, fuck, play, eat, whatever.

I may have eaten more than 500g of snickers and ran 5km. I didn’t fuck nor play however, too bad. Anyway, at 10pm i had all i needed to pass.

I decided still to focus on AD and enumerate, google, scan, again, until i found easy shit at midnight that opens the door. How the fuck could i have spent so long without noticing this crap. Privesc took me 1 hour, and got to first rabbit hole during 2 hours. Then, decided to go back to old proven method: what do i have, what do i need, how can i fill the gap, enumerate possibilities, take down obviously non working paths, again, easy thinks. Got domain admin by 2am. All boxes pwned in 17 hours.

Conclusion

Sorry for so long post. Long story short: it should be doable in three months if you have a lot of time. It may be possible in 6 months if you start from nothing or have responsibilities elsewhere as i had.

It should be possible in less than one year if you start from nothing and have responsibilities. Nothing impossible. Improve your methodology in proving-grounds, do all exercises, everything was variations of exercises or course content (the huge PDF).

Take breaks, a lot. Proctors are professional, cordial, will let you take as many breaks as you want.

Visit friends, family, have holidays, work also in holidays, but also enjoy, run, live. Do not kill yourself. Eat, sleep, enjoy your OSCP journey, enjoy your life and fuck.

Then study.

Then do that all over again.

Would have i missed sleeping, eating, and enjoying, i wouldn’t get it.

All is in the course but reading the course during the exam is not feasible. Hence study the crap out of the course and do your fucking exercises.

Refuse the pressure. Stay cool-headed as ice. Stress will impact your performances.

I know some people have tried and failed several times. I would be happy to help them now i am on the other side. Please feel free to ask anything and above all enjoy your life and fuck :)