arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Hacking OSCP - The Hacker Way
8 min read

Hacking OSCP - The Hacker Way

Hacking OSCP - The Hacker Way

As a hacker like you, we believe that something can always be better, and nothing is ever done or complete. We just have to go out from our comfort zone and do it — often in front of people who say it's impossible.

In reality, Hacking just means building something quickly or testing the boundaries of what can be done.
- Mark Zuckerberg

In this blog, I will be discussing my OSCP experience and some tips and exercises I did to achieve the certification.


Offensive Security's OSCP

Offensive Security Certified Professional (OSCP) is a hands-on penetration testing certification offered by Offensive Security that teaches penetration testing methodologies and the use of the tools included with the Kali Linux distribution. The certification requires takers to successfully attack and penetrate various live machines in a safe lab environment. It is also considered more technical than other ethical hacking certifications out there, and is one of the few certifications that requires evidence of practical penetration testing skills.

Principles

Here are the principles I learned in the OSCP:

Focus on your goal
If you want to be an OSCP certified, the best way to do it is to make sure you allot enough time and effort to focus yourself in practicing to pass it. It may sound simple, but most of the students who took OSCP does not have enough time which may lead them to fail the exam. So always remember that your focus determines your reality.

Don't be afraid to take risks
Achieving your goals means you have to face whatever fears or hindrances may arise during the journey, and do it anyway. This can be scary and prevents most OSCP students from taking risks, but in a world that's changing so quickly, you're guaranteed to fail if you don't take any risks. In fact, most people say, "The riskiest thing is to take no risks."

Be open for collaboration
Offensive security community is composed of hackers, leaders, and students. Diversity strengthens the community so be open to learn and grow from each other during the process.

Background

  • I am a cybersecurity officer in a startup company based in Manila, Philippines, for almost five years.
  • I passed CEH v9 and ECSA v9 (same as OSCP but one/two-week examination) in 2017.
  • I am an active bug bounty hunter and has reported valid findings to different organizations locally and internationally.
  • I am also an active Capture the Flag participant with our team hackstreetboys.

As I said, I believe that something can always be better, and nothing is ever done or complete. So I would consider myself a rookie or noob when it comes to pentesting. I have a little bit of knowledge in website application pentesting, but I am very new to network pentesting, making the OSCP a challenge for me.

OSCP Labs

I bought 30 days of lab access, but I only used it five times, yes, as in 5 days. The reason behind this is I have a lot of meetings at that time, and I was only able to use it during weekends. So let's move forward to Preparation.

Preparation

I spent most of my time solving machines in HackTheBox, and you can visit my profile via this link: https://www.hackthebox.eu/profile/55589.

In HackTheBox, I practiced solving the OSCP-like boxes on Tony's list, aka TJ Null.

https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview

I also created a set of OSCP-like boxes for practice:

ajdumanhug/oscp-practice
A random set of 5 machines for OSCP. Contribute to ajdumanhug/oscp-practice development by creating an account on GitHub.

To step up my Privilege Escalation knowledge, I enrolled myself in Tib3rius' courses in Udemy. (Thanks for the discount Tibsec!)

Windows Privilege Escalation

Windows Privilege Escalation for OSCP & Beyond!
<p>This course teaches privilege escalation in Windows, from basics such as how permissions work, to in-depth coverage and demonstrations of actual privilege escalation techniques. The course comes with a full set of slides (150+), and a script which can be used by students to create an intentionall…

Linux Privilege Escalation

Linux Privilege Escalation Tutorial: Become an Ethical Hacker
<p>This course teaches privilege escalation in Linux, from basics such as how permissions work, to in-depth coverage and demonstrations of actual privilege escalation techniques. The course comes with a full set of slides (170+), and an intentionally misconfigured Debian VM which can be used by stud…

Then I signed up to TryHackMe to practice every single privilege escalation in the course.

Fortunately, there is an existing room to practice Linux Privilege Escalation, and it was created by Tib3rius too.

TryHackMe | Linux PrivEsc
Practice your Linux Privilege Escalation skills on an intentionally misconfigured Debian VM with multiple ways to get root! SSH is available. Credentials: user:password321

I asked Tib3rius via Discord if he also has a VM for Windows Privilege Escalation, and thankfully, he launches it a few days after I messaged him.

TryHackMe | Windows PrivEsc
Practice your Windows Privilege Escalation skills on an intentionally misconfigured Windows VM with multiple ways to get admin/SYSTEM! RDP is available. Credentials: user:password321

During my free time, I do IppSec and chill. He is a YouTuber who always upload videos about retired HackTheBox machines. He has a playlist of OSCP-like boxes patterned to Tony's list.

https://www.youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf

To sum up everything for my preparation, I watched IppSec's videos to learn about Enumeration techniques, tools, and methodologies. Then I practiced Privilege Escalations using Tib3rius' Udemy courses and TryHackMe rooms. To test my acquired skills, I hack in HackTheBox.

OSCP Exam

The exam started at 9:00 pm on Saturday, last 20 Jun 2020 (Asia/Manila).

But 15 minutes before the exam, the proctor who will watch me during my exam asked me to install Janus WebRTC for Screen sharing. They also asked me to run some bash scripts to get information about my Kali machine and send the result to them. They also asked me to tour them around the room, and even under the table.

When everything was okay, they sent the Exam VPN and the control panel details.

I also received six machines, 5 were target machines, and one was for debugging.

The plan in my mind that time was:

  1. First, solve the Buffer Overflow machine;
  2. Next is to solve the other medium-difficulty machine;
  3. Then solve the two easy-to-medium-difficulty machines;
  4. And lastly, solve the easiest machine.

Timeline of activities
I am not allowed to discuss the exam details, so I will just describe and list the activities.

Date and Time Machine
06/20 - 9:00 pm Start
06/20 - 10:41 pm Buffer Overflow
06/20 - 11:55 pm 2nd machine
06/21 - 1:00 am 3rd machine
06/21 - 2:08 am 4th machine
06/21 - 2:31 am 5th machine
06/21 - 2:31 am Finish

I started by solving the Buffer Overflow machine. Before that, I quickly re-watched the Buffer Overflow video from the OSCP course and already had a ready set of steps in my cheat sheet.

After solving the Buffer Overflow, I quickly started solving other machines. Enumeration is always the time-consuming part of pentesting. You will get many entry points and need to conduct recon to all of those entry points just to gather necessary information for a later attack.

Then you have to find the right exploit by researching various websites or come up with your own exploit to penetrate the target machine and gain user access.

Once you're inside the target machine, privilege escalation is just a matter of few minutes in the OSCP exam if you know what kind of privilege escalation enumeration you're using.

For Windows, I used winPEAS while for Linux, I used Linux Smart Enumeration.

carlospolop/privilege-escalation-awesome-scripts-suite
Privilege Escalation Awesome Scripts SUITE (with colors) - carlospolop/privilege-escalation-awesome-scripts-suite
diego-treitos/linux-smart-enumeration
Linux enumeration tool for pentesting and CTFs with verbosity levels - diego-treitos/linux-smart-enumeration

Then I just applied everything I learned from Tib3rius' course about privilege escalations.

Report Writing

Since I still have a lot of time in my 24 hours examination, I started writing the VAPT Report.

Before the exam, I already drafted the custom VAPT report template for OSCP. For me, I feel better if I'm using my own template when writing a report. So in each box, I have five (5) sections:

  1. Details (Summary)
  2. Severity
  3. Proof of Concept
  4. Recommendation
  5. References

In section 2, I really calculated the severity of vulnerabilities I found in each machine I hacked.

As an example, the screenshot below was the severity calculation I included in one of the boxes I solved.

In section 3, I just wrote the hacking activity in a step by step format.

And with 12 hours remaining in my OSCP examination, I concluded my exam and have sent the report to Offensive Security.

Result

Two days after the exam, I received the result from Offensive Security.


Q&A

  1. How do you enumerate web applications?
    - Look at the source code. I do this to find versions of the app or to find hints hidden as HTML comment.
    - List hidden files and directories. I used dirsearch and wfuzz many times during the exam.
    - It is important to analyze the process of the web app.
  2. How do you select which service to try first?
    Recon/enumerate everything. You will find hints in each service that might be useful for a later attack.
  3. How can I improve my privilege escalation?
    Enroll to Tib3rius' courses in Udemy and practice it in his TryHackMe rooms.

Credits to TryHackMe for the image in this blog. <3