OSCP (starting 13/12/2015)

deyavi

Or... you could just start from your second step (vulnhub + penetration testing books) and then start the labs (which is what I did and found quite helpful)

Sch1sm

Failed my second attempt and like a few others it went worse than the first. The availability is pretty awful for booking a retake now aswell.

deyavi

There's a cooling off period, so I guess during that time you cannot schedule a date.

Sch1sm

Yes, that period has passed. I think the cert may be getting more popular and they haven't necessarily upscaled their process to match it yet. For example they recommend you sign up 2 weeks before you want to start the course however in reality the waiting period is closer to 6 now.

Sheiko37

I tried to figure out what sort of sign up numbers they get a while ago. I know my OSCP student number, and in the IRC chat new users generally default to their student number for a username, so I can see the difference between my ID and the highest ID in the room and roughly guess the number of new students since my sign up, which turned out to be 550-600 new students per month.

Then you could take a guess at the pass rate. I have my own opinion based on the forums, the chat, and just talking to other students, but there's probably not many OSCPs coming into the world each month.

This is likely wildly inaccurate speculation.

Sheiko37

I tell you what, the mental toll this is having on me is real. I've just realized I'm coming up to 6 months working on this. I never thought it would take that long, and I'm no more confident going into the third attempt this weekend.

I've had a plan for what I'd do next after each fail, and in the event I fail the third attempt my plan was to keep going through VulnHub VMs and read The Hacker Playbook 2, but the reality of the alternative resources I've been using is that for every 1 new thing I learn I'm exposed to 10 new subjects that (I think) are either not relevant or beyond the scope of the OSCP, which builds up fast, and soon I have a mountain of what I don't know which certainly doesn't help with confidence.

There's 10 machines that had a major change in the OSCP lab after my time expired, and who knows maybe the exam had an overhaul too. If this weekend goes bad I may have to face reality, buy 3 months more lab time and basically start again.

doctorlexus

Just picture Gunnery Sergeant Hartman yelling at you: "You will not laugh! You will not cry! You will learn by the numbers! I will teach you!"

Keep at it until you get it. The only reality to face is it's taking longer than you wanted. But you will get it eventually. The only real mistake is giving up.

deyavi

Good luck Sheiko37

JollyFrogs

Good luck Sheiko, I have a feeling that you will get it this time.

The most important resource you will have on the exam (besides knowledge) is time. If you don't manage your time, or if you waste it, then you will have a hard time on the exam. You don't have to reset your machines at the start so start scanning the machines from the get go.

Some tips:
- precompile exploits so you don't have to write or search for them during exam. If you find a pee-h-pee (I think this forum doesn't allow certain extension scripts) vulnerability you don't want to spend 2 hours writing or fixing up an exploit that you could have had readily available. Same for typical exploits like Joomla and Wordpress etc: Have them ready to go and know how to use them.
- know how to transfer files to and from linux using various means - there's at least 10 ways to transfer a file to and from linux: know all of them and have them all in your documentation ready for copy/paste before the exam.
- same for windows transfers. If you need to transfer a file with power$hell, you should be able to do so within 20 seconds based on your notes. If you have to find out how to do it during the exam, then you are wasting time and this will make your exam needlessly harder - In this case, you simply weren't ready for the exam.
- have kernel exploits ready to go. There are 3-4 reliable kernel exploits that will work on most older kernels (mem.poh.dipper being one of them) - have them in your notes ready for copy/paste exploitation. Things can sometimes be as simple as "uname minusa" -> copy/paste applicable exploit -> done. Don't precompile them but have the compilation scripts and sources ready to go.
- same for windows exploits, there are 3-4 reliable ways to exploit windows privileges (kitrap0d being one of them). I had a folder called "Local Privilege Escalation" with subfolders for each different version of windows and some major linux kernel versions (I made sure that my exploits overlapped with the full range of kernel versions from the very old to the very recent. Once I got a limited shell I simply went into the corresponding folder and I was done. I ended up with a batch script that brute-forced precompiled exploits (not very elegant but quite effective and more importantly very fast).
- have payloads ready to go for any situation you land up in - Good, reliable php webshells and reverse shells, binbash, shells, netcat, shellcodes, scripts that add root users (linux) or administrator users (windows), etc etc... Have it all ready.
- use "searchsploit" for each and every port you identify with nmap. Use "searchsploit" for escalating privileges via kernel ie: "searchsploit kernel privilege x.x": This is often an easy way to get root on a limited shell.
- have nmap scripts ready to go. There are threads here that show examples of how to effectively nmap hosts. Start with a TCP scan only (faster) and while you work on a TCP vulnerability, scan for UDP (slower so can run while you crack something else).
- Scanning 65535 tcp ports should only take 2-3 minutes when nmap is properly configured. Don't run extensive checks on closed ports because hat would be a waste of time. First do a fast TCP scan on all ports, then do an extensive scan on only the open ports. One of the ways you can do this with nmap is in my thread in these forums. Make sure you fingerprint the ports with nmap, this saves you time.
- run nikto on webservers (typically port 80 and port 443 but webservers can run on any port) while you crack another machine (same as UDP). nikto will run for a while, and you can do other things while the scan runs.

And as a last tip: Start with the host that grants the most points and stick with it - ignore the world until that host is down. At some point, it's likely that you will break a sweat (minor panic reaction - it's normal) and want to move to another host because the one you chose is "just too hard". But don't give in: Keep going at the host you chose until it's down. When you break a sweat, go for a short walk outside for 5 minutes (don't watch TV) to regain confidence. The reason for choosing the hardest host first is so your scans get more time to complete. Get plenty of coffee and sugar and don't sleep until you've cracked all machines - don't worry about the report you will have plenty of time (another 24 hours) to write it.

Good luck!

Sheiko37

Good advice. I've prepared a lot of what you've suggested already, I have a fairly methodological approach but at the same time I don't want to over-prepare as I worry it can lead to tunnel vision

Sheiko37

I failed again, actually have a few hours left but it's definitely a fail.

deyavi

If you have still a few hours left you have plenty of time...

Sheiko37

It was a fail. I could have had the rest of the month on the remaining machines and wouldn't have gotten any further.

Sheiko37

I had success with the buffer overflow machine (for the third time), and one other machine worth 20 points. It took me about half an hour to get a low privilege shell, another 15 minutes to find the vector for privilege escalation, then about 5 hours to get it working. I tried a dozen different methods that should've worked but obviously didn't, at one point I was staring blankly at my account which said "Administrator" but getting "access denied" to any Administrator directories... is this a joke? In the end it worked though a method basically the same as the previous dozen but this time it just worked.

The other 20 point machine I got nowhere, the small amount of services were locked down, unauthorized, denied. The web server was barren. I had and idea of what to do if I could do anything with FTP, but it was entirely locked down, and searching revealed no relevant or working exploits.

The 25 point machine also nothing, shares denied, brute force attempts failed, services blocked, the web server was sanitized and protected against redirection or injection. However looking back on it now, this server is connected to the 10 point server (something I thought I'd never see in the exam), so possibly the web service is not there to exploit, only to hint that a low privilege shell is dependent on another machine in the exam.

The 10 point machine had a clearly vulnerable application with a single existing exploit online that needed minor modification - it didn't work. I spent hours on it, no success. Today after the exam I downloaded the application to my personal computer and tried the same exploit, I had it working in half an hour...

I have no idea where to go from here. I feel like I'm doing all the right things and just being ****** over by an excessively particular exam. I could take a gamble at another attempt but who knows what machines I'll get, or I could step back and reconsider the OSCP in 3 months, 6 months, a year, never...

Sheiko37

I had my 4th exam attempt a few days ago where I hacked 4/5 machines. I just got the email from Offensive Security and I passed. It's finally done.

I'll post later about the most recent exam experience, and eventually put together a package of information to summarise the experience and what I think would be helpful for anyone thinking of doing the OSCP.

doctorlexus

Congrats! Envious of your journey.

lollypop

I failed my first exam few weeks ago and came across this thread looking how to improve. I like how you persisted despite the frustration. In the end, it's all about the end result. A job well done!

JoJoCal19

Congrats on your pass Sheiko. What do you think helped to put you over the pass mark? Any resources, books,etc?

danny069

Good thing is the OSCP doesn't expire right?

Mooseboost

A huge congrats to you Sheiko! You definitely earned this one.

9emin1

congrats dude!

chazb0t

Congrats bro, definitely been following your threads. I'm glad you didn't give up.

towentum

That's awesome! Congrats. I commend your persistence, in the end it paid off!

Sheiko37

Thanks for all the congratulations.

In the last exam I got two new machines and two repeats, and there's one that's more of a task than a normal machine to hack, it repeats every exam attempt.

The "task" went fine as usual, finished it in about an hour.

I'd hacked one of the repeat boxes in a previous attempt, so I stepped through it and collected screenshots in about half an hour. That's 45 points in an hour and a half.

I needed to hack either one of the bigger scoring boxes at this point to score a pass, so I focused on the new one. The low privilege shell wasn't too hard, no exploit, it was think-like-a-hacker and gather information. From there though there were three stages of escalation to get to root, each one took time but I never really ran out of ideas. I had lots of enumeration scripts to go over the output of, checking installed applications, home directories, cronjobs, trying exploits, services running as root, etc. I didn't have a "I have no idea" moment. It was about 6 hours into the exam when I got root and had enough points for a pass (if I submitted my lab report as well).

I went for the lower scoring machine (also a new one) just to ensure a pass. It took about an hour and was similar to a machine from the labs, after about 15 minutes of enumeration I knew what needed to be done, it just took some trial and error.

I spent a short while on the other repeat machine, high scoring, the third time I've had this in an exam. I quit it quickly though. I have absolutely no idea how to get even a low privilege shell on that one.

I spent maybe 8 hours writing the report, not because it was hard, but because I re-read it so many times. I re-exploited every machine multiple times to make sure screen shots were clear and the proof files were accurate. It was 27 pages.

Thanks for reading. I'll summarise resources and the course itself next.

9emin1

Sheiko37 wrote: »

Thanks for all the congratulations.

In the last exam I got two new machines and two repeats, and there's one that's more of a task than a normal machine to hack, it repeats every exam attempt.

The "task" went fine as usual, finished it in about an hour.

I'd hacked one of the repeat boxes in a previous attempt, so I stepped through it and collected screenshots in about half an hour. That's 45 points in an hour and a half.

I needed to hack either one of the bigger scoring boxes at this point to score a pass, so I focused on the new one. The low privilege shell wasn't too hard, no exploit, it was think-like-a-hacker and gather information. From there though there were three stages of escalation to get to root, each one took time but I never really ran out of ideas. I had lots of enumeration scripts to go over the output of, checking installed applications, home directories, cronjobs, trying exploits, services running as root, etc. I didn't have a "I have no idea" moment. It was about 6 hours into the exam when I got root and had enough points for a pass (if I submitted my lab report as well).

I went for the lower scoring machine (also a new one) just to ensure a pass. It took about an hour and was similar to a machine from the labs, after about 15 minutes of enumeration I knew what needed to be done, it just took some trial and error.

I spent a short while on the other repeat machine, high scoring, the third time I've had this in an exam. I quit it quickly though. I have absolutely no idea how to get even a low privilege shell on that one.

I spent maybe 8 hours writing the report, not because it was hard, but because I re-read it so many times. I re-exploited every machine multiple times to make sure screen shots were clear and the proof files were accurate. It was 27 pages.

Thanks for reading. I'll summarise resources and the course itself next.

thanks for the short write-up!
it is very helpful for anybody(including me) who is currently tackling the oscp

Sch1sm

Sheiko37 wrote: »

I went for the lower scoring machine (also a new one) just to ensure a pass. It took about an hour and was similar to a machine from the labs, after about 15 minutes of enumeration I knew what needed to be done, it just took some trial and error.

This genuinely shocked me a bit, lol.

Congratulations though, really happy for you dude

Sheiko37

There's a lot you can do to prepare so I'll list what I think is helpful, or needed.

You do need to now some coding. You don't need to code well enough to make your own exploits or automate everything through scripts, but you will need to edit exploits from exploit-db.com, and you'll come across a lot of exploits that may not work for whatever reason, so if you can understand the code then you can take out the relevant parts or replicate the whole exploit manually. I've only done the Python course on codecademy.com, it's not great, but it's definitely good enough for the OSCP, you should be able to finish it in 10-15 hours.

You'll also need to be familiar with the Linux command line. This book is commonly recommended and free - The Linux Command Line by William E. Shotts, Jr.. You should have some basic Linux knowledge, such as file permissions, sudoers, cronjobs, $PATH variable, the filesystem hierachy, etc.

Kali Linux (which is the penetration testing Linux distribution used in the course) is free - https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/, you can download it and start hacking now.

The best thing you could do in preparation, and to even see if this is a course you'd be interested in, is download VMs from vulnhub.com and step through hacking them. Kali Linux is free, the VulnHub VMs are free, it's hardly more complicated than download and double click, and there's multiple walkthroughs for all of them. It is that easy to get started and you'll learn a lot of the above mentioned Linux basics.

I recommend these VMs from VulnHub as most fun or relevant to the course.
Kioptrix Level 1.1
***** 1
SickOS 1.1
SickOS 1.2
Droopy v0.2
Kevgir
Pegasus
SecTalks: BNE0x00 - Minotaur
SecTalks: BNE0x03 - Simple
NullByte: 1
FristiLeaks 1.3

There's some others that are more educational or for demonstration purposes, may be even worth starting with these.
OWASP Vulnerable Web Applications Directory Project
Mutillidae
Damn Vulnerable Web Application

The only penetration testing book I used was The Hackers Playbook 2, and it's really good. It will give you a lot to try on the lab machines.

Penetration Testing with Kali Linux (PWK): This is what you do before the labs, a 374 page coursebook. It's... inconsistent. There's some basics in there such as starting/stopping services, using netcat, bind/reverse shells, this is all essential and done well. However there's a lot in the book that I found not relevant to the lab and exam, such as Google hacking. There's some parts that are really basic, and some complicated, e.g. there's seven pages on using the grep command (why is this even in the book?), and in another chapter they casually ask you to write a Metasploit exploit in Ruby from scratch.

In the end the course material is maybe 10% of the whole OSCP process. If you get stuck on anything in the book, move on, but re-read it occasional during your lab time, you'll find things you missed. If you document your answers to all the exercises it will score you an extra 5 points in the exam, though not all exercises are required, check with an admin.

The Lab: There's about 50 machines and they're like what you see on VulnHub, however it is all one network, some machines are relevant to another, they're all more professionally made, and they're all meant to be realistic, there's even programs to imitate human behaviour.

There's a lot of tools not mentioned in the course material that are essential, get familiar with them.
Burp
OWASP ZAP
w3af
Zenmap
Nikto
DIRB
DirBuster
Ophcrack
BeEF
I'm sure there's more. Kali Linux comes with a lot so just experiment, and look for enumeration and privilege escalation scripts, there's a few commonly used. I also see no reason to not use Metasploit and a mass vulnerability scanner like Nessus, just go back and step through everything manually.

They have an IRC channel and student forums, use both, network with other students, it's immensely helpful, but just don't look to trade answers. It won't help the learning process and I think it can get you banned from the whole course.

If you can't get an exploit working, the vulnerable application is sometimes available to download from exploit-db.com, install it on your home PC or VM and try exploit it. It's a lot easier when you control both machines.

Take notes on everything and write your lab report as you go, it's worth another 5 points in the exam.

The Exam (OSCP): The OSCP is actually just the exam part of the whole course. I honestly think most students wouldn't even sit the exam, and the failure rate of those who do sit it is probably high. This is just my opinion from speaking with other students and the IRC channel. I recommend scheduling your exam before the end of your lab access, that way if you fail you still have some lab time to prepare for the next attempt.

If you had success in the labs you'll eventually pass the exam. I hacked 30 machines in the lab and in hindsight that's not enough. I have no other specific advice for the exam. I don't think passing the exam has anything to do with things like making a step by step process, how many breaks you take, staying hydrated, etc. If you have the knowledge you'll pass, if you don't you'll fail - that's it.

That's all I can think of for now. If anyone has questions let me know.

Evolved117

Congratulations, it has not been easy!


Do you have tips about attacks or information gathering against IRC services, specifically InspIRCd?

griffondg

Congrats on the pass! I'm in the same boat as you as far as attempts so I'm hoping to follow you in your success when I get back from vacation.

Paolo264

Congrats and great thread, really helpful for those of us starting out on the OSCP journey.