Passed OSCP with 100% in 15 hours
Hi everyone, I am back with OSCP this time. I wanted to share my full journey on how I passed OSCP in the first attempt and was able to fully compromise 5 out of 5 machines with full system access on 25 August 2021. I want to keep it blog brief from where did I start and what I needed and how it Happened.
Background
Before going for OSCP, I had passed eJPT, CEH Master and Network+. As for OSCP Prerequisites I had networking, fundamentals on Linux and Windows and Scripting knowledge on both bash and python. For anyone going to OSCP, I would suggest taking eJPT as a stepping stone if you are not so confident when comes to such a practical exam. You can check out my eJPT blog I wrote a while ago. I would suggest anyone to hold good knowledge in penetration testing before going for it as this exam does require you to try harder.
Prerequisites
Keep a note-making application with you for the whole journey and keep it in use even after this as you will need it just so you can go back to methods/tools. I started taking notes really late(June) and honestly, I wish I could have started it earlier. I used OneNote but you can use any notes taking apps such as Joplin, CherryTree, etc. But I can’t emphasize how important it is to take notes thought the whole journey.
Also, learn basic python, you don’t need to learn everything but googling errors can help you whenever you are stuck. Some other things to focus on in python would be converting a Python2 script to Python/Python3 and vice versa.
Preparation
Timeline
It took me 5 months to prepare for OSCP.
TryHackMe
I personally started with TryHackMe. I started from Easy boxes and worked my way to Medium and then did some hard boxes. While I was working my way up I did see walkthroughs in between to get a mindset on how to approach boxes. Then after I was confident enough I went to do paths on TryHackMe — Complete Begineer, Web Fundamental, Comptia Pentest+ and at last Offensive Pentesting.
HackTheBox
After that, I took a month of HackTheBox and did TJ Null List machines. Again in the start, I wasn’t able to get much progress but then I used to look at walkthroughs just to understand the methodologies. I used to look at 6–8 walkthroughs on a machine just to understand how can get the root machine in not just one way but in other ways as well. After looking at all the walkthroughs I learned a lot and this might be one of the reasons why I was able to compromise all machines in the exam. I tried to do as many machines as I can do by myself but if I felt like I tried everything I looked into the walkthrough with no guilt as at the end of the day I learned something new.
OSCP Labs & PWK(PEN-200)
I took a subscription for 2 months of OSCP labs and I was able to get all the machines done in just one month. I would say to take one month only if you already have done TJ Null List from HackTheBox and you can give your full time, else I would personally say to get 2 or 3 months.
Don’t forget to focus on other departments in the labs as they have the recently retired machine from the OSCP exam. This will give you an idea of how the exam machines might be. Also do go through the course materials as they provide good content to learn on BOF, AD, Client-Side attack, and many more topics.
Proving Ground (Practice)
After I was able to get all the OSCP lab machine done I had one month on Labs and I booked my exam one more prior to the end of the labs. I took Proving Grounds from Offensive Security. This platform was far better than I expected it to be. The machines on this were made by OffSec Team and I did learn a lot. I would say to first focus more on Community Rating machines till Hard ones. After that you can go with More Hard ones, they are a bit out of scope for OSCP but you will get to learn a lot and it is really important to learn as much as you can before going for the exam as at some point you will feel like you are out of ideas so learn as many ways as possible to do a machine.
BOF Preparation
I did not follow the PWK course for BOF as I personally prefer TCM BOF Preparation. It is simple and straight. For practice, doing TryHackMe Buffer Overflow prep is enough. I personally learned around 3–4 ways to do buffer overflow and came up with my own method. It is really important to understand how a buffer overflow works to perform it. Do learn this one as I would say this is free 25 marks and this is very simple if you understood it.
Privilege Esclatation
I took TheCyberMentor Heath Adams both Windows and Linux Privileges Escalation course and it is really worth it. In both courses, I learned a lot about privileges escalation. I heard tib3rius Privileges Escalation courses are also good. You can check any of them out. I would suggest you go with any one of them as you do need to be aware of all types of privileges escalation for this exam.
Transfering file
Learn as many methods as you can to transfer a file between local and target and vice versa. Do not keep it just limited to HTTP server but also learn FTP, SMB Server, and SCP Transfer method.
Isn't looking at walkthroughs cheating — Well looking at walkthroughs has its pros and cons. I looked at walkthroughs only when I knew I had no possibility of doing the machine. The main goal here is to learn, so if you look at the walkthrough and feel like you learn something new, so all okay.
There has been a time when I looked at a walkthrough and felt I could have done it if I enumerated more and I felt guilty of even looking at it. So I would say to keep it to a minimum but when you do look at one just remember to learn something from it and don't get too dependant on it. Use it wisely.
Exam
Booking Exam date
Do book your exams within a minimum of 2 weeks or more as it will be hard to find the right date and time. I would suggest sitting in the morning if you are a morning person or at night if you are comfortable with it. Don’t settle for timing just because you didn’t get the right timing. Book exam timing that suits your day-to-day study/work routine. I booked at 6:30 AM in the morning.
Before Exam
If you are this close to the exam and you already have put in the time and effort before. I would tell you to take one or two days off, get your notes together, keep your VM snapshotted. As this exam is gonna be 48hours and the first 24 hours are gonna be tiring, so it’s better to get some full rest before the exam. 3 days before the exam I personally backed up my system and didn’t study but watched anime. Just so I don't start having thoughts on exam and start panicking for no reason. This is how I mostly go in exams, you can do whatever you like just remember to take full rest so you can give your best on exam day.
Exam Day — 25 Aug 2021
After getting the VPN and Credentials for it, I started my exam by 6:40 AM. My strategy was to focus on BOF first then move on to 20 pointers and then 10 and leave the 25 at last. It took me around 1:20hr to get the BOF done. So around 8 AM I took a 10 min break and left the scan running for 20 pointer machine. I came back at 8:10 and started a 20 pointer machine. At 10:30 I was able to get full system access and landed 45 marks. Took a 10 min break again and ran scans. I didn’t make any progress on 20 pointers till 1:30 so I moved on to 10 pointers instead and was able to get it done in 20 minutes. So around 2 PM I took a lunch break and had 55 marks already. I started to focus on 25 pointers now. For a long time, I did not make any progress so I took a 30 min break at 6 PM. By that time I was lost and didn't think I could actually pass the exam. While on the break, I knew I had around 12 hours and If I ‘try harder’ I could get it done. So I made a new strategy- to forget everything I knew about both 20 and 25 pointer machines and start from scratch. By trying harder I meant to try to enumerate as much as possible before jumping or sticking to a conclusion. I came back at 6:30 PM and started 25 pointers from start and guess what this strategy worked for me and I was able to root 25 pointer machine by 8:00 PM. By this time I had 80 points so I was passed already but as I had some time left and I could give another try to the 20 pointer machine. By 9:30 PM I had compromised every single machine in the exam. I was really happy and looking back on the hours when I didn't make any progress. I saw I was trying to rush into machines instead of enumerating it more. So by 10:30 PM, I made sure I had every screenshot and step to get into the machine for the next day's report. At this moment I was already exhausted and went right to sleep so I can give my best on the report too.
Report Day — 26 Aug 2021
I had two options when it came to reporting — Noraj Markdown Template and Document Template. I was planning to write the report in Markdown but I realized I was already tired from yesterday and I needed to rest. So I choose to go with whoisflynn OSCP Document Template. I was able to submit the report by 1:30 PM. I was a little bit anxious after submitting the report as I didn’t want to come this far and make some simple mistakes in the report and fail. So I would definitely suggest you go read all the instructions carefully before submitting the report.
Result Day — 27 Aug 2021
Honestly, I didn't expect Offensive Security to come back to me in just one day. Around 4 PM I got a mail stating that I was successfully able to passed OSCP :)
Personal Thoughts on OSCP
Preparation
For this exam, you do need to put in a lot of time and effort. There is no bulletproof way you can follow and pass this exam. This exam will test your way to think towards a target. Trust me, It won’t to so easy but if you do learn throughout the journey and build a mindset you will get it.
Exam Difficulty
It was a medium-hard exam in my opinion. Honestly speaking the machines are not the hardest as compared to HTB or PG. Just because you have a time period of 24 hours, your brain and body start to get exhausted after a while and that’s why this is said to be a tough exam. You need to figure out how can you get in the machine but also build a mindset and learn when to give yourself rest before you get full exhausted.
Rabbit Holes
I know some people might disagree with me here but this is just my personal opinion. I don’t think there are any rabbit holes. I did come to some edges where I thought it was the way but turned out to be it wasn’t. I realized it was no rabbit hole but something which looked juicy but was actually not. If you see them yourself just remember to give in your 30 min maximum and if you think it doesn’t work then move on even if you are really close but still stuck. I mean if nothing works out you can always come back to what you think was the way right?
Remember, this exam has machines that are actually vulnerable than real-world machines. So think of it this way. All the machines are compromisable you just need to find the way.
One more thought on the rabbit hole would be, look for any information that could come in handy. If you think you find something which has information but you can’t use it anywhere then most probably you are facing a rabbit hole.
Tips:
- Remember every machine is vulnerable so don’t just lose hope if you don’t find anything useful. Take a break and come back.
- Taking breaks is way more important than you think. If I didn’t break I would definitely fail. WE ARE NOT MACHINES!
- Don’t overdo coffee or energy drinks.
- Have a full 7–8 Hours of sleep before the exam.
- Learn everything you need before the exam. Do not panic and rush to learn on the last day.
- Do a full TCP and UDP Scan. You don’t wanna fail because you missed the UDP scan.
- I would suggest checking out PG Practice from OffSec before the exam.
- Remember this journey is a marathon, not a sprint.
- Lastly, remember if I can pass it so can you! Trust your hard work!
Sources:
GTFOBINs, PayloadsAllTheThings -This one has a lot of content so check as much as you can, keep the ReverseShell Cheatsheet handy, HackTricks -Keep it handy as well, you will find a lot of information for every port, Up-to-date TJ NULL LIST, Upgrading shell, Hacking Articles -Great platform to learn, 0xdf -Best walkthrough and learn methodology.
Thank you!
I want to thank my family, girlfriend, and friends who supported me throughout the journey, this was a hard one but worth it in the end. I would also like to thank Offensive Security for such a great exam. If you came this far, I am sure you are serious and want to go for OSCP. I wish you good luck with your journey too! Remember to give your best and never lose hope! If any future questions feel free to drop me a text on LinkedIn. I will try my best to help you out. Farewell everyone I will see you soon with something new again! Stay safe, healthy, and try harder :)
