It’s a painful, yet a wonderful and fun journey in summary. It’s full blown practical. After spending close to nine months studying for the Offensive Security Certified Professional (OSCP) certificate, I’m happy to announce that I’m officially an OSCP certified in my second attempt.
One of the main reason I passed this exam was because of the helpful InfoSec community on discord. Mentors like TJNULL, FalconSpy, Servus, Purple-Zepher, Foleosy, Tristram and many more , always there to help and guide you. Ask as many questions as you want regarding exercises and Lab machines to Offsec Student Admins.
Dedication is needed. Staying healthy is also needed. You need to devote most of your free time to practicing, researching & learning. You also need enough rest to let your body recover both physically and mentally.
Here is how I approached the exam:
After a gap from my IT learning, with Master of Computer Applications degree (2007 )in my hand I started OSCP course with 90 days of lab time. I spent almost 50 days reading and completing exercise’s of OSCP book. For the last 40 days I spent all my time in the OSCP lab.
Attempt 1:- After the 90 days of my lab time required I was able to root only 28 machines from OSCP Lab but I was confident to get the machines in the exam. The exam process was very smooth and the invigilator was very helpful. Started the exam morning time at 8:00 a.m. and got the buffer overflow machine in the first 3 hours. Took a 30 minutes break after first machine and it took almost 8 hours to get second 20 points machine. PE was easy but I over complicated it. I kept looking on other machines but did not get even the initial shell. Still I submitted the report and got the result next day… I failed.
Attempt 2 - After my first attempt my confident went from 100 % to 10 % but I started again with new approach and went on PG_Practice platform launched by Offsec during those months. I started reading write-ups on medium and other website’s . Rana Khalil blog on medium helped me a lot to learn new techniques from all the TJNULL boxes at HTB. I started watching IPPSec videos everyday for at least for 2 hours. He is a GEM and I learnt many new things.
After everything, I felt my confidence gained from 10 % to 50 % . Took another 30 days of Lab time to root OSCP lab boxes and tried to root most of the boxes without much help. I was able to root only 30 boxes again in 30 days.
I felt confident more after OSCP Lab, reading write ups, IPPSec videos and PG_Practice boxes. I still went after couple of Udemy courses by Tib3rius for Window and Linux Privilege Escalation. I booked my exam for 5th of May. I made cherry tree notes for all the major commands that I used in OSCP Lab (58 boxes) and PG_Practice (40 boxes) to root the machines .This helped me a lot during the exam.
Exam Day- I got my exam schedule for 8:00 a.m. as I know I can sit for longer period of time during day time. I started with five workspaces on my Kali and folders on my Desktop for each machine. I checked in at 7:55 a.m. and everything went smooth and I was able to start working on my machines at 8:15 a.m.
My first target was Buffer Overflow but before that I started nmap_ Automator.sh script for all other machines in different workspaces of my Kali OS. I started working on Buffer Overflow and I was able to root it in 3 hours. I was taking all the screens shots while working. After I rooted my first machine, I took a 15 minute break. After my break ended, I started looking at 10 pointers machine and found the vulnerability in 2 hours and rooted it in 30 minutes after I found the weak point.
I went after 20 pointers immediately and started looking at all the open ports and other enumeration performed by the auto-script. After spending 30 minutes on it, my body felt like taking another break. I went for lunch and came back after one hour to work on machine again. My mind and body were little relaxed after the break but all the ports were running in front of my eyes even during the break. I started working on the same 20 pointers again and after spending almost 2 hours on it I got the initial shell. I was very happy. I took all the screen shots necessary and started working on PE.
I found the PE vector in only 30 minutes but I was unable to exploit this vector for next three hours. Than I started searching on Google to exploit this vector in different ways and after almost 4 hours I was able to get it working and rooted the machine. At this point I have 55 points .My plan was to get at least 10 points now, so I can have 65 points from machines and 5 points from the Lab report. I took break again for dinner and a rested for a while but my mind was still running and constantly thinking about the machines while I was on my bed. I started working on machines again after 2 hours of break.
Enumeration was already completed by auto-script .It took me almost another 3 hours to get everything inline and to get the initial shell, it took another 2 hours to get root. I was able to score 75 points with these machines so far. I took another break and started checking all the screen shots again and again. I double checked all the screen shots. Tried my last 3 hours on the last machine, found the entry to which it was vulnerable but unable to get in and my time was over.
I got my result early morning on Sunday 2 days after the exam report submission — — — — — I Passed — — — — — —.
I did not use any Privilege Escalation tool in exam — No Linpeas, Linenum, Winpeas or any other privilege escalation checker script.
- Tips
- Set Your Goal to learn from PWK pdf and videos and learn as much as you can. Also complete all the exercises.
- Try to solve the boxes without asking anyone for help. It does not matter how many boxes you are able to solve.
- Try PG_Practice boxes. All the boxes are amazing and teaches you new techniques.
- Read write-ups written by Rana Khalil and others . Read as many write-ups you can read and definitely watch IPPSec videos.
- Check Tib3rius Udemy Privilege Escalation courses.
- In PWK lab you can get easily exploit just searching on google remember Google is your Best Friend
7. Do not over complicate things. Majority of the boxes can be exploited with simple methods. You just need to find the right path.
I did not take longer breaks but took many short breaks. A suggestion is to take as many breaks as you can.
Helpful Links
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://book.hacktricks.xyz/
- https://github.com/lucyoa/kernel-exploits
- Network — Rowbot’s PenTest Notes (offsecnewbie.com)
- https://sushant747.gitbooks.io/
- https://fareedfauzi.gitbook.io/oscp-notes/reverse-shell/interactive-ttys-shell
- https://github.com/tagnullde/OSCP/blob/master/oscp-cheatsheet.md
- https://falconspy.medium.com/unofficial-oscp-approved-tools-b2b4e889e707
- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
Thanks to Offensive-Security team for this awesome course and the very helpful InfoSec discord community.
Backdoor
