OSCP Exam — Mistakes and Wins

In my first attempt of the OSCP (Offensive Security Certified Professional) Exam, I’ve only almost completed the course exercises and so only managed to work a couple of OSCP boxes with Metasploit, and 5 Vuln Hub machines.

In my 2nd attempt on the OSCP exam, I did a few more boxes:

• 20 OSCP lab machines (I had to use hints from the forum)
• 2 Hack The Box machines

I’ve read from other exam reviews that clearing half the OSCP lab boxes would give you about a 50% chance of passing. I was not prepared for the exam so I took it as a second practise, since it comes with each extension of the lab. Privileged escalation, for instance, was an area which I haven’t dabbled much in.

Thankfully, I did unexpectedly well in the exam and cracked all 5 machines, less escalate privileges on two of them. Including the submission of course exercises, I have scored about 82.5/100. Time is of the essence (23 hours 45 mins), so building up a strategy helps.

9 am
I picked the 9am slot so that I could wake up later, and yet have some time in the following morning to tie up loose ends. Looking back, 11am or noon would have worked better for me, as working 14 hours straight was too strenuously; having the sleep break in between would have worked better.

I connected 20 minutes ahead to test out the proctoring setup, and had problems with sharing both screens — a tip would be to buffer more time to have that set up so one can remain calm at the start of the exam.

My machine and external monitor was set up at a corner near my router this time, as I was observing slower speeds in my study room in the first attempt. I had a short cheat sheet written up that included the following details:

• enumeration — (I had some automated scripts prepared but forgot to use them) I used a few liners pulled from htb walkthroughs, which were really helpful for last minute preparations and revisions, to run a masscan on all udp and tcp ports, before running an in-depth scan on each open port. Don’t forget to output (-o) nmap results to a file — that came in very handy.
• for each of the protocols or services, I listed the follow up actions so I don’t miss out on enumeration, i.e. If HTTP(S) — nikto, dirbuster; If SMB, nmap script, enum4linux, smbclient, nbtscan, etc
• and for privilege escalation, I had a few liners to run that were pulled from common enumeration scripts, that gives me an indication on breadcrumbs that I can start looking at.

My sequence strategy was as follows:

1. Revert whichever boxes I can revert (revert is slow) since we have more than enough quota
2. Run the enumeration commands on two or three machines first (that were not being reverted) — did not want to run on all in case throttled traffic returned me inaccurate results.
3. Hit the **** machine first — which I reckoned would be the easiest and lowest hanging fruit.

For the **** machine, it is as per the PWK course materials, so one would just need to follow through step by step. I did not practise on this prior to the exam because I was too lazy to set up a windows box of the same OS and specs.

The scope of the exam was pretty limited for this box, which I would not attempt to reveal further, but I skipped enumeration altogether and went straight into building the exploit. In my attempt to rush and skip through a few steps, it costed me an additional 2.5 hours, when I could have finished it under 45 minutes:

1. I did not do the standard set of enumeration — although I technically did not have to, since we have a debugging machine with full access, that caused me to constantly doubt whether or not there were other services which I did not discover that ultimately caused my scripts to not work. Was there a new AV client? Was it on a different port? Was it on a different OS?
2. I pre-prepared a list of possible hex characters, in which I had removed common bad characters that I had encountered with previous labs. Bad idea, firstly because that might not score me the intended points for the exam, and I might have missed out good characters that I would otherwise need.
3. I rushed through the checking of bad characters. It turns out that I missed a bad character that was way below in the payload, and that was the stumbling block that caused me an additional 2.5 hours to redo the whole exercise multiple times.
4. And this is kind of a caveat, if your exploit does not take certain things into consideration, each run would crash the application, and a revert is warranted if you want accurate results.

I finally completed that, while being slightly frustrated with myself. Took a bunch of screenshots and closed the machine.

12 pm
Started to review the enumeration results for a lower-points machine and order my lunch in. This one was easy, and with some details of the service, I found the right exploit. But there was a slight twist that I quickly realised, and that required me to do some additional read up on the vulnerability to understand how I could chain exploits. It is like putting together a puzzle. Not that I was trying to game the exam, but if I was certain an exploit I found is the right one, and it requires another component, then naturally I should be able to find another vulnerable service on that machine which could provide that missing complementary piece of information. For instance, if an exploit requires an authenticated session, then it might be likely that another vulnerability would allow one to discover the credentials.

Anyways, I got local access pretty quickly, and started adding points to my scoreboard — counting chickens as soon as they hatch impatiently. I thought of saving time, so I hopped on to a high-points box to start further enumeration based on the first set of results. I jumped back on and found very useful data that ultimately helped me gained root access.

As I said, I wasn’t prepared for this exam, and only took this attempt as a practise, but about 5 hours in, I have got 2 machines fully cracked — not too bad for a rookie! I started to be hopeful that I might actually be able to pass. That’s 50 points under my belt, which was where I stopped at on my first attempt. 20 points to earn from 3 machines, no pressure! I started to slow down my pace and take more breaks.

It turns out that those two were the easiest machines on hindsight.

2pm
I went for the other lower-points machine. It was a service that I’ve only heard of but was not familiar with. Anyhow, that doesn’t matter here. Finding the vulnerability was easy, but the common exploits that I found did not work, and I understood that some level of customisation and manual work was required. But I didn’t have the luxury of time, so I chose to spend my time looking for other POCs that were on Github. Now I am not sure if that was intended, but I did find some pretty recent scripts from various researchers (I know those were not created for the exam) so I went ahead to test a few of them. Lo and behold, one of them worked and I gained a reverse shell!

From time to time, I had to refresh my screen-sharing setup on request of the proctors. Just FYI — I read that this is not unique to me as other students encountered the same. But the Offsec team is really friendly, so the proctoring experience went really smooth for me — I barely looked at that tab, so I was not too affected by the monitoring.

Privilege escalation is my achilles’ heels, and that was an area I was supposed to prepare on for my planned 3rd attempt, a few months down the road (I had just gotten a VIP subscription to HTB). Done poking around, didn’t find much, so I ran the classic privilege escalation script. With those findings, I did not find much either. I left and returned to this box multiple times, and I was later convinced that it was going to be a kernel exploit, but some how or rather, my exploits did not work.

With some work into privilege escalation done, I thought it might be safe to assume that I’ve gotten 10 marks out of the total allocation for the box, and that brings my total points to 60. Now, I have got a lot to lose if I don’t make the last 10 marks (or 20 marks for good measure, in case something goes wrong in the report).

6pm
That is when productivity goes down, and I found myself staring at my screens with no progress. My family members start coming back and I tried to stay focused to my exam. “Let’s go for the easiest and lowest-points machine”, I thought to myself. That was an understatement. Looking at the number of open services sank me back to reality. That’s a lot of work!

I started poking at the common ones, and long story short, there were a long of red herrings on this one. So I didn’t make much progress on this until very much later.

8pm
I moved on to the last and final high-points box. I was warned of rabbit holes so I was very cautious to begin with. I found a service, but again, the scope of work was so big — there are so many possible vulnerabilities, so where should I start? How could I be systematic about it? By this time, I was pretty brain-fried. So I made a handful of futile attempts on common entry points. But Offsec was kind enough to leave a version number visible enough for me to pick up, and from there I found an exploit. As with the lower-points machine above, the exploit that was commonly available did not work off-the-shelf, so I was off finding POC scripts again, and lucky me yet again with my google skills, found an obscure but recent post of the same topic. I made minimal changes, and I got a reverse shell. That’s 60+12.5=70.25 points! Assuming my course exercises were accepted, that it. I was overjoyed.

10pm
I took a long break, and started to read up on OSCP exam reviews to find out hurdles and pitfalls in exam report submissions. I read that a number of them thought they would pass, but ended up failing because of improper screenshots. I looked at my screenshots and I realised ipconfig was taken separately from local.txt and proof.txt — that’s probably not going to work!

So I spent the next 30 minutes going back to each of the machines to do multiple screenshots of all three commands in a single, beautiful screenshot. I then started working on my report and added a new section to house a summary of these screenshots at the front of my report, so that no one would miss all these artefacts. I should have done my homework on this, but well, better late than never.

I took the next hour or so combing through my report and started building it, checking for any missing steps for documentation, while I still have access. And at the same time, clearing away irrelevant trial steps or payloads that did not work. I made multiple versions of my report. (I also made the mistake of combining my exam report with course exercises, only to realise I had to separate them during the submission).

11pm
I jumped back to the lowest-points machine, and after going through a ton of red herrings, I found my target which was really well hidden, in an unexpected place. Once that was found, the rest was easy. As it was the lowest-points machine, there was only a flag, and with that, I was certain I could pass!

That left me with two boxes that requires root.txt. I did more research and I found possible Metasploit exploits for both of them, but I really wanted to be independent of Metasploit for this exam so I checked out the raw scripts of those Metasploit scripts and their reference URLs, hopefully to be able to manually escalate permissions on the last two boxes.

2am
After meeting a few seemingly dead ends, and knowing that I’ve already gotten enough points, I went off to sleep at around 2am. I cannot recall, but I may have left a brute-forcing operation on for the night.

It is especially hard to sleep though, when one is very tired, but not sleepy due to the over-stimulation of brain.

7am
Came back to my station to resume my proctoring session which I have left streaming while I napped. I started reviewing my report again, and added a couple of sections to the original template, just to err on the side of caution in terms of comprehensibility.

I spent about an hour on the report, occasionally connecting back to cracked boxes to get better screenshots and output snippets, and reading up more on exam report requirements. Having gained confidence from my report, I spent the last 45 minutes alternating between the two boxes again, both of different OS.

I ran a couple of exploits which had been running for 20 minutes and was terminated when my exam lab access was cut. I might assume a run of >20minutes would mean unsuccessful though.

10am
Took a short break and came back working on my reports, both the course lab and exam. And after two hours, I submitted my report!

One week later, the good news of passing came:

Very thankful for this!

It was only towards the end of this journey that I realised I barely scrapped the tip of the ice berg. So it’s a beginning for me, and there is so much more to learn and explore. I will carry the motto and continue to #tryharder.