Hacking OSCP - The Hacker Way
As a hacker like you, we believe that something can always be better, and nothing is ever done or complete. We just have to go out from our comfort zone and do it — often in front of people who say it's impossible.
In reality, Hacking just means building something quickly or testing the boundaries of what can be done.
- Mark Zuckerberg
In this blog, I will be discussing my OSCP experience and some tips and exercises I did to achieve the certification.
Offensive Security's OSCP
Offensive Security Certified Professional (OSCP) is a hands-on penetration testing certification offered by Offensive Security that teaches penetration testing methodologies and the use of the tools included with the Kali Linux distribution. The certification requires takers to successfully attack and penetrate various live machines in a safe lab environment. It is also considered more technical than other ethical hacking certifications out there, and is one of the few certifications that requires evidence of practical penetration testing skills.
Here are the principles I learned in the OSCP:
Focus on your goal
If you want to be an OSCP certified, the best way to do it is to make sure you allot enough time and effort to focus yourself in practicing to pass it. It may sound simple, but most of the students who took OSCP does not have enough time which may lead them to fail the exam. So always remember that your focus determines your reality.
Don't be afraid to take risks
Achieving your goals means you have to face whatever fears or hindrances may arise during the journey, and do it anyway. This can be scary and prevents most OSCP students from taking risks, but in a world that's changing so quickly, you're guaranteed to fail if you don't take any risks. In fact, most people say, "The riskiest thing is to take no risks."
Be open for collaboration
Offensive security community is composed of hackers, leaders, and students. Diversity strengthens the community so be open to learn and grow from each other during the process.
- I am a cybersecurity officer in a startup company based in Manila, Philippines, for almost five years.
- I passed CEH v9 and ECSA v9 (same as OSCP but one/two-week examination) in 2017.
- I am an active bug bounty hunter and has reported valid findings to different organizations locally and internationally.
- I am also an active Capture the Flag participant with our team hackstreetboys.
As I said, I believe that something can always be better, and nothing is ever done or complete. So I would consider myself a rookie or noob when it comes to pentesting. I have a little bit of knowledge in website application pentesting, but I am very new to network pentesting, making the OSCP a challenge for me.
I bought 30 days of lab access, but I only used it five times, yes, as in 5 days. The reason behind this is I have a lot of meetings at that time, and I was only able to use it during weekends. So let's move forward to Preparation.
I spent most of my time solving machines in HackTheBox, and you can visit my profile via this link: https://www.hackthebox.eu/profile/55589.
In HackTheBox, I practiced solving the OSCP-like boxes on Tony's list, aka TJ Null.
I also created a set of OSCP-like boxes for practice:
To step up my Privilege Escalation knowledge, I enrolled myself in Tib3rius' courses in Udemy. (Thanks for the discount Tibsec!)
Windows Privilege Escalation
Linux Privilege Escalation
Then I signed up to TryHackMe to practice every single privilege escalation in the course.
Fortunately, there is an existing room to practice Linux Privilege Escalation, and it was created by Tib3rius too.
I asked Tib3rius via Discord if he also has a VM for Windows Privilege Escalation, and thankfully, he launches it a few days after I messaged him.
During my free time, I do IppSec and chill. He is a YouTuber who always upload videos about retired HackTheBox machines. He has a playlist of OSCP-like boxes patterned to Tony's list.
To sum up everything for my preparation, I watched IppSec's videos to learn about Enumeration techniques, tools, and methodologies. Then I practiced Privilege Escalations using Tib3rius' Udemy courses and TryHackMe rooms. To test my acquired skills, I hack in HackTheBox.
The exam started at 9:00 pm on Saturday, last 20 Jun 2020 (Asia/Manila).
But 15 minutes before the exam, the proctor who will watch me during my exam asked me to install Janus WebRTC for Screen sharing. They also asked me to run some bash scripts to get information about my Kali machine and send the result to them. They also asked me to tour them around the room, and even under the table.
When everything was okay, they sent the Exam VPN and the control panel details.
I also received six machines, 5 were target machines, and one was for debugging.
The plan in my mind that time was:
- First, solve the Buffer Overflow machine;
- Next is to solve the other medium-difficulty machine;
- Then solve the two easy-to-medium-difficulty machines;
- And lastly, solve the easiest machine.
Timeline of activities
I am not allowed to discuss the exam details, so I will just describe and list the activities.
|Date and Time||Machine|
|06/20 - 9:00 pm||Start|
|06/20 - 10:41 pm||Buffer Overflow|
|06/20 - 11:55 pm||2nd machine|
|06/21 - 1:00 am||3rd machine|
|06/21 - 2:08 am||4th machine|
|06/21 - 2:31 am||5th machine|
|06/21 - 2:31 am||Finish|
I started by solving the Buffer Overflow machine. Before that, I quickly re-watched the Buffer Overflow video from the OSCP course and already had a ready set of steps in my cheat sheet.
After solving the Buffer Overflow, I quickly started solving other machines. Enumeration is always the time-consuming part of pentesting. You will get many entry points and need to conduct recon to all of those entry points just to gather necessary information for a later attack.
Then you have to find the right exploit by researching various websites or come up with your own exploit to penetrate the target machine and gain user access.
Once you're inside the target machine, privilege escalation is just a matter of few minutes in the OSCP exam if you know what kind of privilege escalation enumeration you're using.
For Windows, I used winPEAS while for Linux, I used Linux Smart Enumeration.
Then I just applied everything I learned from Tib3rius' course about privilege escalations.
Since I still have a lot of time in my 24 hours examination, I started writing the VAPT Report.
Before the exam, I already drafted the custom VAPT report template for OSCP. For me, I feel better if I'm using my own template when writing a report. So in each box, I have five (5) sections:
- Details (Summary)
- Proof of Concept
In section 2, I really calculated the severity of vulnerabilities I found in each machine I hacked.
As an example, the screenshot below was the severity calculation I included in one of the boxes I solved.
In section 3, I just wrote the hacking activity in a step by step format.
And with 12 hours remaining in my OSCP examination, I concluded my exam and have sent the report to Offensive Security.
Two days after the exam, I received the result from Offensive Security.
- How do you enumerate web applications?
- Look at the source code. I do this to find versions of the app or to find hints hidden as HTML comment.
- List hidden files and directories. I used dirsearch and wfuzz many times during the exam.
- It is important to analyze the process of the web app.
- How do you select which service to try first?
Recon/enumerate everything. You will find hints in each service that might be useful for a later attack.
- How can I improve my privilege escalation?
Enroll to Tib3rius' courses in Udemy and practice it in his TryHackMe rooms.
Credits to TryHackMe for the image in this blog. <3