My OSCP journey

Hello everyone, I have finally received the confirmation that I passed my OSCP Certification.

This article is being written as I was asked about my specific profile and the reasons that made me chose this certification, and also my view on recommendations and what not.

A little bit about me: I am currently working as an SAP Architect, with 11 years of SAP experience this is still the area where I enjoy working. I started my career as a helpdesk assistant and I studied for my Master degree at night while maintaining a full time daily job — so I’m not new to the “Try Harder” mindset.

Why did I pursue the OSCP certification if I don’t work in the area of cybersecurity?

For the past couple years my interest in the cybersecurity field has been growing, perhaps a bit more than what I was aware before starting the OSCP journey.

I had annual VIP memberships (birthday gifts mainly) on Hack The Box, Try Hack Me and Pentesterlab but was not dedicating much time to any of the platforms.

During 2020, and with the worldwide lockdowns, I started to be way more involved in CyberSecurity events like online conferences Black Hat, Bsides (just to name a few), capture the flag events (too many to list), John Hammond and Ippsec’s youtube channels and towards the end of the year Hacking eSports (if you haven’t heard about it , check it out: https://www.twitch.tv/hackingesports_eng).

Eventually I realized I was not a noob anymore and I could actually grasp the concepts and add something personal to it.

I decided to pursue this certification mainly as a personal challenge, the satisfaction of achieving one of the most challenging certifications in the field combined with a pretty hard challenge was all that it took for me to decide to buy the OSCP course.

Preparation

When talking about how I prepared and if it worked or not, it’s very hard to make any recommendations out of the process I used. Mainly because this was what worked out for me personally, knowing my limits and with my background.

Despite all that, the following high level summary describes my path:

• I bought the OSCP course towards end of December 2020, I decided to go with the 30 day lab time, knowing what I know today maybe picking the 60 or even the 90 days would have been a wiser choice (the PDF exercises are intense);
• I choose the starting lab time for Feb 6th 2021 to give me some buffer time to prepare in other platforms;
• If you search for advice on what platforms are better or which ones are more similar to OSCP, you’ll find several different answers and also some very enforced opinions. I never took those too seriously and decided to see it for myself, my advise is do not let anyone decide for you (same applies for any advice you may get from this article, I honestly think that you need to find what works for you and not what worked for others);
• Virtual Hacking Lab — I bought 1 month of VHL around beginning of January, my goal was to try obtaining their certificate of completions while gaining some experience;
• I have mixed feelings about VHL, on one side the elevated price is definitively too costly while compared to other platforms, on the other side though, the quality of the machines is average ok. The machines are not depending on other machines and the lab is built out of 41 machines (as of the time this article is being written); I completed all the machines in about 3 weeks and decided to submit the reports for both certificate of completion tracks as a way to train my report writing skills; I obtained both certificate of completions; For the report, I used Noraj’s GitHub md to PDF template (https://github.com/noraj/OSCP-Exam-Report-Template-Markdown) which was outstanding (I created a specific buildserver VM for this — more details in the resources section);
• With VHL done, I decided to get a more in-depth view over Windows privilege escalation, once again with the multiple recommendations on the discord InfoSec group I decided to have a look at Tib3rius’ Udemy course: Windows Privilege Escalation for OSCP & Beyond!
• Having completed the above course and with the quality of it I decided to buy the Linux one as well: Linux Privilege Escalation for OSCP & Beyond!
• It is money well invested for sure, I would have done it again knowing what I know today; If you are considering getting the courses then check out Tib3rius twitter account, he usually gives some discounts out on twitter (https://twitter.com/0xTib3rius) or his discord channel;
• I highly recommend both of them, personally I took way more out of the windows one than the Linux but I think they are both worth it;
• Time to dedicate to Buffer Overflow, discord group “InfoSec Prep” is a great community that provides some recommendations and pointers around different certifications, in my case they pointed me out to TryHackMe Overflow room as a BufferOverflow preparation;
• This room is a great resource to learn basic BOF concepts, to a point that I co-authored an attempt at a basic automation for the process of exploiting bof vulnerabilities, you can find the draft tool Overflowy at github https://github.com/ChevalierOnGithub/Overflowy;
• At this point my lab started on Feb 6th 2020, I dedicated daily at least 4–8 hours, evenings and late nights were pretty much blocked for studying;
• I decided that I was going to submit the Lab Report, despite a lot of discouragement from a lot of folks stating that it’s not worth it the 5 points … for me it was way more than applying for the 5 points, was getting the most out of the course, and after completing the lab I must say, some challenges do suck, like a lot, but overall I’m happy that I had the strong mindset to see them through — it was worth it; As a curiosity I had 770 pages on the Lab Report;
• 3 weeks into the Lab I was able to root all boxes (70 in total);
• At this point I booked my exam for the 14th March 2020, the available time slots for my timezone were pretty odd (starting at 7PM);
• From here until the exam date I dedicated to complete all the exercises of the PDF while I still have lab time available and in parallel I was doing some retired HTB boxes, with HTB I was more worried with not spending too much time at dead ends vs getting some minor hints to proceed (most of the times where I needed help was with bruteforcing using the wrong wordlist of some basic minor mistakes that would have taken me pretty long to get back on track with the machines) — so I favoured quantity over getting few hints here and there towards the end of my preparation (note: this worked for me as I was not lazy enough to go for the hints as the first try but only after feeling that I had hit a dead-end);
• I got some boxes from Proving Grounds completed, however for some reason I didn’t quite enjoy as much this Lab;

Follows a more in-depth description of each training platform I used:

Virtual Hacking Labs

• 42 machines in total, mixed Win/Linux;
• 9 Beginner;
• 17 Advanced;
• 16 Advanced+;

I got this 99 USD month pass: https://www.virtualhackinglabs.com/product/month-pass/

Try Hack Me

Path — Offensive Pentesting(https://tryhackme.com/path-action/pentesting/join)— This was a fun and very interesting pathway from THM, with rooms varying in difficulty it covered in good detail quite a considerable amount of skills;

The BufferOverflow room is a great resource, it clearly helps you to tackle easily BOF problems:

TryHackMe | Buffer Overflow Prep

TryHackMe | Brainpan 1

I also completed some other THM rooms like:

TryHackMe | Linux PrivEsc

TryHackMe | Windows PrivEsc

Note: I plan to go back to THM, Throwback and Wreath also sounds like fun labs to try out.

Hack The Box

I tried to completed as much boxes from this list as I possibly could given the timeframe: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159

From this list I completed 25 Linux and 22 Windows;

I did not explore my HTB subscription much aside from the retried machines, and here Ippsec videos are simply awesome, I was viewing the videos even if after I rooted any machines, taking notes on different attack vectors or tools that I was not aware of and after a few ones I could definitively feel the improvement around specific vectors. You don’t need an HTB subscription to watch the videos, they are freely available on youtube on Ippsec’s channel.

Note: The labs offered by HTB are really interesting and I consider going into it but time does not multiply and I had to prioritize given the timeframe I had. I will be, for sure, checking in the Labs available on HTB they all look pretty awesome.

Proving Grounds

I must say that PG is not for the faint of hearth, the machines tagged as Easy there are way more challenging that in any other platform (this is my opinion, not a statement), I appreciated the slap in the face and the wake up call that this brought me, despite all that I was not getting much out of it so I decided to not renew my monthly subscription of this one;

I tackled 11 Easy Machines from PG and I decided to move on;

Note: I’m not saying this is a bad platform, quite on the contrary, the only thing was that, personally, it didn’t click with me; Maybe now I’ll be back for some fun boxes on my spare time who knows …

Exam day

Sunday, March 14th 6h30 PM, with a monster batch of Death Wish coffee ready I started to do a quick last minute preparation with my VM and note taking software, and PANIC … my kali VM does not have internet connection for the life of me.

I had no idea why, and I started to panic big time, I restored my VM to a previous snapshot (literally taken like just few minutes back) and I see the same behavior, panic times 2, it’s now 6h43 PM and I have a brick for a VM.

So I did the whole turn it off and hope for a magic fix and … it did fix it. I have absolutely no idea why this happened but at this time I couldn’t care less, time to join the proctor session.

Connected to proctor session and getting the security verification out of the way was pretty much straightforward (just be sure to have your documentation ready with you).

Exam VPN credentials received and initial connection test, cannot ping the internal test host on the troubleshooting.sh but I could ping the exam machines, proctor decided that this shouldn’t be an issue (and it wasn’t).

Tackled BOF within the first hour, I was not stressing out with the time I was taking as I was sure time was not going to be an issue. In parallel though I started autorecon on the exam machines, 2 at a time and I went back to BOF.

Took as many notes as I possible could while I was doing it, triple checked all results and started to almost do the writeup of the report at the same time.

Popped a shell in the lab demo, in a rush tried it on the exam and shell. BOF done, time to complete the documentation. With 1h 15 mins into the exam and I decided to finalize the report writeup before jumping to the autorecon results (yep it was not easy to keep the calm but I was adamant on keeping up with my plan).

BOF done, decide to take a short break (you can take as many breaks as you want providing that you let the proctors know before you leave and right after you connect back).

So far proctor software has been a breeze and no issues whatsoever.

When I got back I started to look at one of the machines, in sequence and not caring much about the points at this time.

Here I decided to challenge my methodology and force myself to not get stuck with anything for more than 5 mins, so I went through the autorecon results starting some more targeted enumeration as I was going and forcing myself to circle through the rest of the recon findings.

I followed the same approach for all machines, except my nemesis, a privesc on a hard machine, that still haunts me until today;

Time was going by and I moved with some user and root shells on some target machines and I getting close but not enough for a passing score. This is now 4AM, coffee is long gone, need a new batch so I decided to take a bigger break for food, 30 mins stop (the longer one I took).

After getting back with a fresh mind I got a foothold on one of the targets, and with a user shell the privesc was something I was pretty familiar with … that’s it, I have a passing score (if I consider the 5 points from my lab report).

But … I’m not a very positive thinking kind of person, so I decided to keep poking with all I had until I was sure I got enough without having to rely on the lab report points.

Couple hours more, it’s now 6 AM, got a user shell on the last machine, now I’m sure I have the points, need to make sure I don’t mess up the report, but time is not an issue yet so I decided to keep pursuing the privesc.

And I kept at it for what felt like 1 year … nothing I threw at it was sticking, absolutely nothing, with or without reverts I had nothing.

Going against all I had I decided to step back and start creating the report, 9AM my time I start reverting all machines, and I was doing the writeup and testing all commands multiple times to confirm they were correct and no typos or missing screenshots could end up compromising the final report.

I did test all the attack vectors and got extra screenshots from each machine and that’s it, I have the report completed.

I used Noraj’s md to PDF, generating the PDF was a simple build, I went to my buildserver and built the final PDF report. Few errors with the usage of / \ or even @ without escaping it with ` but was a quick fix once I realized what was happening.

It’s now 12 noon and I have my report completed and ready to submit, but, I still have 6h45 minutes of exam available, and I have that stubborn privesc on the way of a perfect run.

Long story short, the privesc won … I was not able to get anywhere.

I was marginally getting somewhere finally, with a lot of “how” and “not sure how I got here” type of scenarios when my proctor plugin started to misbehave big time. This is now my 4 PM and I started to lose patience with the constant pings from the proctors and the screen share failing.

I tried everything (installing firefox and attempting a new browser, restarting my machine) but nothing seems to work and finally I had enough of this suffering and decided to end my exam and submit my report.

I spoke with the proctors who were pretty awesome and tried their best to help but they can’t control it either so, it was just a bit frustrating to say the least.

Report submitted, MD5 checksum triple checked, file names, format, extensions triple checked, all looks ok, submit and end the exam with the proctors.

(!! Now, you do not need to submit the report within the duration of the exam, at all, you have 24 hours from the time you finish your exam — I simply decided to get it done as soon as I could hence why I submitted right at the end).

7 days later I receive the confirmation of the successful certification completion.

Note: Not sure why it took 7 days for my case, usually they are taking 48 hours as it seems, but maybe seeing 770 pages of my lab report plus the 90+ pages on the report didn’t help speed wise;

Resources/Recommendations

Finally some lose notes and recommendations, I took a pretty aggressive path with my OSCP preparation and the lab report, the risk of burndown is real and I have to admit it was starting to hit me, so despite all of this I would suggest you to plan your training in advance, challenge yourself always but know your limits.

Try Harder is not something I liked to hear during this journey, however in the end, that’s what it was.

I wouldn’t say Try Harder but … do not stop trying, don’t give up.

Finally, the statement that you’ll run out of ideas before you run out of time is something that I 100% agree with (depending on how you decide to handle your exam time) and I actually lived it.

Don’t go full stress mode into the beginning of your exam. I decided not to sleep during the exam as I know that I wouldn’t be able to close my eyes, I am not saying this is the best way to do it, it was simply what worked for me. Even if you plan for sleep I still think you will have enough time, remember that your exam can be submitted 24 hours after you finish your exam, just make sure you have all the screenshots you need before your exam time is gone.

Note taking and report

Another hot-topic where everyone you ask will end up with a bunch of different tools and combinations, I’m not going to even attempt to sell my tools as the way to go, but it worked for me.

I used Visual Studio Code in Kali, with a plugin that allowed me to paste images from the clipboard. I also used Flameshot as a screenshot helper that gave me a bit more control of the area being clipped.

I used the .md format and went with Noraj’s toolset to generate the PDF version.

I decided to install a dedicated VM to avoid installing latex on my kali VM, I went with an Ubuntu VM and installed latex and the required tools on that VM.

In terms of version control I used a private github repository.

My favorite platform

This is a pretty hard one to pick, I’m going to say that I loved OffensiveSecurity labs, it was pretty cool and the pivoting experience was the cherry on top. Aside from this, I will not be unfair by picking a favorite from THM nor HTB, I think each one of them have it’s own value. Pentesterlab has a special value for me as it was the first platform I invested in and that gave me back a lot but I can’t say it’s that much aligned with OSCP as much as the others (for upskilling and fundamental concepts training it’s great!). Virtual Hacking Labs is good for the Labs but if budget is a concern I think HTB is probably a better investment.

I love the HTB challenges (not OSCP related IMO but still pretty fun) and I love the fact that I can pick a topic and join a room in THM, with the assurance that the quality of the contents is outstanding on both. (I was not offered nothing to provide this review, I’m open to some VIP passes though heheh).

Overflowy — co-author of this tool, this was put together mainly as a way to practice BOF and python3 byte handling. Intent was never to use this tool on the exam (which I didn’t);

ChevalierOnGithub/Overflowy

Tib3rius Udemy courses

Windows Privilege Escalation for OSCP & Beyond!

Linux Privilege Escalation for OSCP & Beyond!