If you never try it, you won’t earn it. Recently I just completed PWK courses and earned my OSCP certification. It’s really a hard journey and it deserves to be my very first story on Medium!
After this, I will keep posting related technical stories which was found and re-organized during my preparation of OSCP. Please stay tuned.
\x01 Before OSCP
I heard OSCP about one year ago and think this would be significant milestone to my career path. Before starting your PWK course, I strongly recommend to try yourself on VulnHub and Hack In The Box. I sometimes spent all my weekend on VulnHub and Hack In The Box. I list some OSCP-like machines below and you could give it a try before you jump into the PWK course.
\x02 Starting OSCP journey
Offensive Security’s PWK course has 3 course packages - 30 days, 60 days and 90 days. If penetration testing is your daily job, I believe 30 or 60 days will be enough to you. Once completing your registration of PWK, you have to wait few days and then will receive the mail to indicate where to download your course manual, video and PWK version of Kali Linux Vmware image. In the same mail, you will be provided your OS id, login password and VPN connectivity information as well. At this point, you might be able to start your self-learning journey and enjoy your exhausted Lab time. I signed up for 90 days course package and spent about 2 weeks to complete course material and jump into to the Lab soon after this. The less time you spend on course material, the more lab time you will get. All in 90 days. If you think 90 days is not enough, you could pay to get more.
\x03 Lab time
There are 4 subnets in the lab environment - public, development, IT and administrative. You goal is to fully compromise the machine to get proof.txt. In some machines, you will see network-secret.txt as well, this is the key for you to connect to other subnets, like development, IT and administrative subnets.
Once you connect into VPN, public subnet is the first one you will be in. There are around 40 boxes in it. There is no rule for your starting point. You could start from the first machine or last one. It’s all up to you but some machines will have so called — relationship. That means you have to compromise that machine first to break into this machine. Lots of attack vector you could utilize, like SQLi, shellshock, LFI, RFI, BufferOverflow and so on. Offensive Security Lab environment is trying to simulate one environment like the real world. You will face Windows, Linux and BSD platform. Don’t be so scared and stay calm !!!
During my 90 days lab time, I compromised 37 machines totally and have IT, development subnet access. I rooted/pwned timeclock, sean, kevin, core, joe, phoenix, barry, tophat, alpha, RALPH, DJ, ORACLE, jd, kraken, susie, BOB, sherlock, mike, sufferance, pain, fc4, BOB2, leftturn, hotline, mail, alice, HELPDESK, gh0st, gamma, dotty, beta, pedro, jeff, BRUCE, payday, master and observer. If you are chasing you OSCP, you could probably hear about 5 most notorious and infamous machines — gh0st, fc4, pain, humble and sufferance. Near the end of my 90 days lab time, I was stuck on humble. It obviously could be RCE via NoSQL vulnerability and I did sleep MongoDB for a while but I was unable to reverse shell back to my Kali. Tried a lot but still no luck. Finally lab time ended. Honestly, Offensive Security Lab is the best security lab I’ve ever seen. Even you already pass OSCP, it’s also recommended to swipe your credit card for more time to get all hosts compromised.
\x04 Game On
Once your lab ends, you have to schedule your exam date in 90 days and you have up to 3 times to re-schedule it. Be attention that your OSCP exam will be proctored by your webcam and screen sharing, so if you want to take you OSCP exam on the weekend. Schedule your exam 4 weeks earlier before the date you want. You can even schedule it during your lab time is still going on.
Before your exam starts, the Offensive Security staff will do identity check. You might be asked to show your passport and surround your room using your webcam. Once your identity is confirmed, your exam lab environment will be unlocked.
In OSCP exam, you have to compromise 5 machines in 24 hours (23 hours 45 mins exactly) and you need to prepare your professional penetration testing report in coming 24 hours. The passing score is 70 points. The points for each machine is 25, 25, 20, 20 and 10 respectively. Your goal is to get local.txt and proof.txt. And please remember to screenshot your local.txt/proof.txt along with ipconfig/ifconfig. If you don’t do it, you may loss full point on that machine. In my OSCP exam, I successfully rooted 4/5 machines and the most impressive part during my OSCP exam was I got one Windows10 machine and successfully escalated myself to SYSTEM. This machine spent lots of my time during the exam. But finally I succeeded. Never give up. TRIED HARDER !!!
\x05 Miscellaneous
Don’t miss the exploit development part in the course material. Please read buffer overflow exploit development for Windows and Linux super carefully !!! This will be the compulsory machine in the OSCP exam and it is 25 points !!! Fully understanding how to control EIP and how to generate shellcode will be much fun and be helpful in your security career path so much.
Finally, I tried harder and passed it !!!
In the end of this article, I list some useful website below. Those are the ones I frequently visit during the preparation of my OSCP. Hope you guys have a wonderful learning and enjoy it !!!
Windows Privilege Escalation and pen-testing
Github resources
LFI to RCE
Reverse Shell Cheat Sheet
Tomcat port 8009 AJP13 Exploit
Linux Kernel Privilege Escalation
Buffer Overflow Stuff
Privilege Escalation Collection
Udev privilege Escalation
Port Knocking
Windows Kernel Exploits
https://411hall.github.io/assets/images/exploitexcel.png
EternalBlue exploit — MS17–010
