OSCP - Try harder... again.

My previous lab time slipped away from me. A lot happened in between when I signed up and now, some good and some bad - both in my work life and home life. Everything from role changes to going through the start of a divorce. Now everything is clear and I am ready to go back into it.
I signed up for another 90 days. The lab doesn't feel any different than it did before, so I don't think any of the machines have really changed. On the plus side, I have some real world pentesting experience under my belt now, so hopefully, I can apply what I have learned.
Here we go, round 2!
I signed up for another 90 days. The lab doesn't feel any different than it did before, so I don't think any of the machines have really changed. On the plus side, I have some real world pentesting experience under my belt now, so hopefully, I can apply what I have learned.
Here we go, round 2!
Comments
NEVER give up!!! Keep trying and always aim to do better!!! Know that this forum believes in you and knows you can DO IT!!!!
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
Spent a good bit of time in the lab yesterday. Managed to get two roots out of the way, Alice and Mike. I'm pretty sure I found a vector on a third host, but I will need to play around with the webapp to get my shell going.
Roots: Alice, Mike.
Overall a pretty good start!
Roots: Alice, Mike, Ralph.
The weekend proved to be a learning experience. Do NOT always rely on msfvenom payloads. Sometimes they simply are not the best for the job and will not always result in a stable shell. I keep hearing enumeration echoed from everyone who has been successful in the labs and the exam, this is the true statement. If you don't have a shell, then you haven't enumerated enough. Everything is there, you just have to find it. Record everything you plunder from a box because I can promise you, some of the things you find will come in handy later.
I am hoping the hotels wifi will be good enough to spend a couple of nights in the labs. I am on a roll and don't really want to risk slowing down. I know I won't always be able to slam out roots but I don't want to lose that "rush" that I am feeling!
Roots: Alice, Mike, Ralph, Phoenix, Kraken, Susie, Alpha, Gamma.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
The more I do the labs, the more of a process I start getting. Enumeration is still something I need to improve on and develop a better flow for. I keep going down rabbit holes due to jumping the gun - seeing something and immediately going for the exploit without finishing my enumeration. This has resulted in more lost hours than anything else in the lab. Enumeration and privilege escalation need a lot more practice for me. Thankfully, there is plenty of that in the lab!
In total so far I have 13 roots with plenty of lab time left. I think I may shoot for my first exam sit down towards the end of June. I hope to have a minimum of 20 hosts down by then.
Roots: Alice, Mike, Ralph, Phoenix, Kraken, Susie, Alpha, Gamma. Beta, Helpdesk, Barry, Kevin, Bob
Next: CCNP (R&S and Sec)
Follow my OSCP Thread!
I rooted Mail and Joe today. Mail was relatively simple to get a low priv shell on and I just happened to stumble on on the escalation reading a blog somewhere else. Joe was difficult though and proved to be a thorn in my side. Not because he is overly difficult mind you. The battle with Joe was the first time I have had other students trying to work on the same machine as me. I was already working on Joe though, so I was not going to be defeated! I ended up getting him rooted and escalated before anyone else kicked me off with a revert. Grab my post exploits and scooted out.
I've found two machines now that have IT network access. I got really excited when I found the second network.txt, but it turned out to be another machine with access to IT. I was hoping for the admin network, but alas - not there yet. I have been lucky so far with rooting machines. I have had a few that I have had to come back to (looking at you Bob) but once I got a low priv shell - I was able to escalate within a matter of hours. I really need to work on that though, I know that timely escalation will be critical in the exam. I still have 73 days of lab time to go and 15 roots so far. I think once I hit 20-25 I will schedule my first exam attempt, hopefully in mid June. I doubt I will pass, but it will help me gauge where I am and give me lab time post-failure.
Roots: Alice, Mike, Ralph, Phoenix, Kraken, Susie, Alpha, Gamma. Beta, Helpdesk, Barry, Kevin, Bob, Mail, Joe
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
The lab is progressing nicely though! I have rooted Pain and Humble, two fo the big four. Pain actually was not that bad. Humble threw me for a loop. The initial shell was pretty difficult but I think the issue was because someone else was hitting the box at the same time. There is a DOS PoC you can do for the exploit and I think they kept using that. The service seemed stuck in a loop. I would revert and it would be fine, then shortly after crash again or act really weird. I finally moved to the second one of them (some boxes have copies) and after a revert everything went smoothly.
I am torn now between trying to get more boxes in the lab versus going back over the boxes I have now and practice being methodically and writing out a report. I haven't done a lab report or the exercises from the PDF this round. I am tempted to go through them. Five points is five points and it is experience with writing the report. I know I need to hit the buffer overflow hard. Right now the plan is to go back and go through the machines I already have (without my notes as much as I can) and write the lab report up. Then go to the buffer overflow till I feel comfortable. Once I do that, I will go through the exercises if there is enough time left. I have a total of 18 hosts (17 lab write-up eligible) so I should have enough different paths to cover the lab guide.
Hopefully things speed up before the lab. Right now I don't have any machines that have taken more than a day or two, but that is still a lot of time per host. Even during the exam, I will probably still have to reference **** sheets and write-ups.
Roots: Alice, Mike, Ralph, Phoenix, Kraken, Susie, Alpha, Gamma, Beta, Barry, Kevin, Helpdesk, Bob, Mail, Joe, Pain, Humble, Core.
The exam was a beast. The labs did a good job of preparing me for the exam but I still had to try harder. The exam boxes were a step up in difficulty from the lab machines. After passing the exam, I took some time away since I had an out-of-town friend over. After spending some time at the beach and camping in the mountains, I feel fully recharged now and ready to go back to it.
Whats next? I am not fully confident with that yet. I think for now that I will be focusing on web application and general pentesting before I dive further down any specific rabbit hole. I thought about the OSCE, but right now it doesn't make too much sense for me as a career choice. Before I head down the OSCE path, I need to find a pentesting position and build more of a foundation. Once I have that, I will circle back to the OSCE.
There will be a full review of the OSCP coming shortly. I don't quite have the energy at the moment to give it a proper write-up, but expect something within the next few days!
Thank you to everyone here who has shown support. It means a lot to know that there is a community there to help push you along when you need it.
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
Prior to the OSCP I had roughly a years worth of pentesting experience. In my career I have dabbled in a bit of everything from network engineering to analyst work, preferring the “Jack of All, Master of None” approach. Having a diversified background benefited me during the course, having been exposed to different technologies. Academic wise, the only offensive course I have completed before was eLearnSecuritys PTS course.
The Course:
The training materials provided by Offensive Security are more than sufficient for getting started in the labs. My recommendation is to go through the PDF and videos together, section by section. If you follow each exercise presented, you will finish the training material will enough to compromise a handful of hosts. There is no particular order that is advised, but you will quickly figure out which services are more complicated and which services will be the easiest foothold. There are some mechanics in the lab machines that you may not see on the exam, so don’t fret if you can’t get those boxes. You will understand more about what that means once you start the lab and run across one of the hosts. I can’t spoil all the fun, can I?
Your lab time is best spent trying to expose yourself to as many boxes as possible. If you struggle more than a day or two on any particular host - move on and come back later. I feel like this is an absolutely critical requirement that I struggled with. The further down the rabbit hole one goes, the harder it becomes to dig yourself out. I spent days on hosts that I later came back to and easily popped. The more time you sink into a particular path, the harder it is to admit you are wrong. No one wants to admit they have wasted hours upon hours going down the opposite side of the highway, but hey - sometimes it happens. Time management is paramount in the course and even more-so in the exam. Set timers for a box and when its up - cycle out to another one.
Speaking of time management and administrative tasks - notes! I used CherryTree to keep track of all the notes about the lab network. I cannot stress enough that you do this from the start. I failed to keep proper notes when I started and because of this, I had to figure out certain hosts again when I circled back to them. Record everything - not just what works. You will kick yourself in the ass later if you don’t. Trust me. My own shoe print is still on my backside.
The standard recommendation for lab time is 90 days and I cannot disagree with that. You can get by with less time if you have some experience. In hindsight, 60 days of lab time would have been more than enough for me. It’s better to be cautious and not have interruptions during your lab. The cost difference is negated by the ROI I think the certification provides. There really isn’t anything that competes with this at the price level. SANS has some amazing training but it is bananas expensive. eLearnSecurity has great training as well for a similar price point but the name recognition is not there and the experience is nowhere near as intense as the OSCP is.
The Exam:
The exam is simply put: a beast. You will sweat and you will curse. Time management is no longer a recommendation but a requirement. You have 24 hours to obtain 70 points (65 points if you did the lab write-up and exercises) and another 24 hours to write the report. One thing that is not often discussed in reviews is the timing. My recommendation is to select a start time in the afternoon. This will give you time to get some rest in between. If you start at 6-9AM, then you don’t have the same benefit as someone who started at 3 PM. The person who started at 3 PM will work till the wee hours of the morning then grab some Zs and hit it again refreshed.
I started my exam at 3 PM and wrapped up with 75 points at 5 AM. One of my mistakes was not taking enough breaks. During the whole time, I only got up a handful of times. I didn’t eat and only drank minimal amounts of water. This is not the way to do it. I repeat, do not do this. You may pass but your body will hate you for a few days after.
In the exam, you will be given five boxes worth a variety of points. You will encounter the following: 25 point box (2), 20 point box (2), 10 point box (1). The order you do them it is entirely up to you. I’ve seen different folks tackle it differently. One of the 25 point boxes will always be a buffer overflow and the majority of people will go for that one first. While doing that box, you should have recon running against all the other hosts. By the time you finish your overflow box, the scans should be complete and you will have a base to go from. I went for the 20 point boxes first and then the 10 point box. Some people go straight for the other 25 point box.
Both of the 20 point boxes fell without too much trouble. I had 65 points within 7 hours and honestly was kicking myself for not having done the lab write-up. I could have walked away right then with enough points if I had. Alas, I didn’t so I had to conquer one more box. This is where things got frustrating for me and I spent the next several hours rolling around in the dirt while howling at the moon. Around 5 AM some wizardry happened and I was able to successfully exploit the 10 point box. I can’t (and won’t) give spoilers to any of the boxes but what kept me from immediately getting this box was a networking issue. I needed something from the box and during the transfer, something kept breaking. I spent over 5 hours banging my head against a bad transfer. On that fateful final transfer, I noticed the size was slightly different than before and behold - what I needed was correct this time.
Overall the exam does a good job of stepping up the difficulty of the lab. In terms of exploit difficulty, you will not find a significant increase in the level of effort but the time restriction adds a new level of stress. You can spend days poking at a machine in the lab. In the exam, you got 23 hours and 45 minutes to own multiple boxes. This puts an enormous pressure on your that will cause minor mistakes to become big mistakes. The exam is absolutely doable if you have taken the time to hone your skills in the lab. Patience and Practice. That’s all that is required.
Conclusion and Whats Next:
Looking back on the experience, I am thankful to have obtained my OSCP certification. It was a humbling experience to see a success where before I had a failure. There is nothing like the feeling of seeing that root prompt after struggling with a box for so long. The mindset I obtained during the course and exam will help me further my studies and career. If the question is Should I do the OSCP? The answer is yes. Always, yes. You don’t have to be an infosec wizard to take this course and be successful. It’s not about experience or intelligence. It’s about drive. If you can drive yourself to never quit, you can become an OSCP. You may require more time than others, but that is OK. Not everyone in the same physics class learns the material at the same rate.
As for whats next, I think I will spend some time focusing on web applications and start participating in bug bounties to help further my skill set. HackTheBox also seems like an interesting place to spend some time learning new things and keeping everything I learned in the OSCP fresh. I will be starting a new position as a threat hunter soon with a new company, so I will have that to focus on for the next bit as well. Certification wise, I have a PTPv4 elite voucher that I need to use so I may try to take a shot at the eCPPT.
Overall, I cannot recommend the OSCP course enough. This concludes my little write-up of my OSCP experience. I could write a formal prep guide but honestly there isn’t anything I could say that someone else hasn’t already said better. Good luck guys and always try harder!
2023 Cert Goals: SC-100, eCPTX
I intend to kick off the eCPPT exam Monday if everything goes according to planning, so hopefully, I can answer that for you fairly soon. As for the OSCE, it definitely is in my field of interest. I would really like to pursue it but I am afraid at my current point, it is beyond what I am capable of. I don't think I am smart enough to tackle it... yet. Who knows though, that may change. If I do go for it, it will definitely take far more prep than I have done for the OSCP.
2019 Goals: CISSP, Splunk certifications (Certified Core, Power User, Admin, and Architect)
Twitter: https://twitter.com/Malware_Mike
Website: https://www.malwaremike.com
"If the question is Should I do the OSCP? The answer is yes. Always, yes. You don’t have to be an infosec wizard to take this course and be successful. It’s not about experience or intelligence. It’s about drive. If you can drive yourself to never quit, you can become an OSCP. You may require more time than others, but that is OK. Not everyone in the same physics class learns the material at the same rate."
That part along with "Try Harder" definitely keeps me going, as I doubt myself at times during my studying. Good luck on your future endeavors.