My OSCP journey | PEN-200 review
Hi, This is Abhishek Rautela and in this blog post, I would like to share my journey to the prestigious OSCP certification. I’ll break this blog into a few sections so that you can go and read the section you’re more interested in. I cannot share much information about the exam machines or the labs due to restrictions by Offensive Security but I will try to provide my personal experience with the Labs and the exam.
The path to the OSCP can vary from person to person so this review won’t be justified without me telling about myself and my skillset prior to the certification.
To cut it short, I don’t have any related education. The only time I studied Computers was in High School(10th grade). This dates back to 2011 when we were taught Java Programming at school. I really enjoyed learning to program back then. I was always good at programming and was able to score 92/100 in my Computers Exam which mainly consisted of Java Programming. Due to some reasons, I left Computers and decided to study Mathematics and Biology instead(The worst decision of my life).
While on my job I started learning basic Networking from YouTube. You can easily find some quality eBooks for free. Some people in the industry recommend taking the CCNA prior to any hacking certification, but in my opinion, CCNA is overkill for hacking. You can try Network+ instead. In late 2018, I found a YouTube channel called HackerSploit. This channel is responsible for strengthening my basics and making me realize that infosec is where I wanted to be. January 2019, I formatted my laptop and installed Linux for the first time(Parrot). I switched to Kali a few months later(just because I found it lightweight) and have been using Kali and Ubuntu since then.
The OSCP Journey
In September 2020, I bought a 3-month lab from Offensive Security. I was very excited and soon, I received the welcome package. My lab time started on the 27th of September. Offensive Security provides both PDF and video lectures for the PEN200(Earlier PWK) course. I started with the PDF and decided to take effective notes. I used CherryTree and VIM for note-taking and Flameshot for screenshots. How to take good notes? Well, note down everything you feel important. Take screenshots and paste them into your notes. Use a tool like Flameshot(Recommended) to take effective screenshots. You can use Obsidian, Microsoft OneNote, CherryTree or any other text editor of your choice for note-taking. If you can’t decide what is important and what is not, note down everything.
I had already been working on a Linux system for more than a year now, so grabbing the initial modules was easy. Reading material can be boring, so I took three Udemy courses to mix up with my Materials. I would recommend doing these courses before you buy a subscription from Offensive Security. This will provide you a solid understanding of common recon, hacking and privesc techniques. The three Udemy Courses that I did are as follows:
- Practical Ethical Hacking(The Cyber Mentor)
- Windows Privilege Escalation(The Cyber Mentor)
- Linux Privilege Escalation(The Cyber Mentor)
The first month of my precious lab time was spent reading the material and completing the Udemy courses. I was not confident enough so I decided to give it another read. The next read took 15 days and guess what, I made notes again. I opened a new instance of CherryTree and noted anything that I felt was important. This time my notes were more refined and writing down everything twice helped me remember important concepts and commands(Muscle Memory).
Once done with the reading material I decided to go for the labs. Offensive Security discourages going through the labs in sequential order but I found it easier to pick a target(Avoid this approach at all costs). Tip: Offensive Security provides a detailed writeup of two machines(Alpha & Beta), do them first. The writeup provided by Offsec is pure gold and doing Alpha and Beta first will help you form a methodology. I didn’t know it until I started doing Alpha and Beta in the last 15 days of lab time(Mistake).
The Labs were an amazing experience and I managed to PWN 35 systems including all the big four(PAIN, GHOST, SUFFERANCE, and HUMBLE). Was I able to PWN all the systems on my own? Absolutely NOT. Initially, I was always turning to the student admins for help. The student admins are some of the nicest guys I have ever interacted with and they were always able to redirect me to the intended route. Remember that they expect you to try everything you have learned in the materials. You can also check a goldmine provided by Offsec — The Offensive Security Forums. The forums have a lot of things I couldn’t have figure out on my own. I would highly recommend checking the forums when you genuinely get stuck and are not able to figure out anything. I spent around 40 days in the lab enjoying and crying. Do not rush the labs, the goal of the labs should never be to PWN as many systems as possible. Focus your energy on understanding a system, why something is vulnerable and how can it be exploited. Most of the machines are similar to real-life ones but some can make you cry hard.
The best strategy for the labs is to start with Alpha and Beta and then pick a target according to the list provided by Offsec.
My lab time ended after Christmas and I scheduled my examination in mid-January. The next few days were spent revising notes and going through the PDF once again, for the third time.
Another mistake that I did was not booking an exam early so the only time I got on the desired date was at 1:30 AM. Soon the day arrived. I slept at 10 PM and woke up at 12:30 AM. I logged into the student proctoring tool at 1:15 AM and was done with verification by 1:40 AM.
I decided to go with Buffer Overflow first. I had set myself a goal of completing it in 45 minutes and damn I was so wrong. I missed a single bad character and spent 2 hours figuring out what went wrong. So, in the first three hours, I had 25 points in my pocket. The next 2 hours were spent on 10 pointer machine trying to exploit it manually, Epic FAIL. So I decided to switch to another machine. By evening I had around 45 points in and felt completely exhausted. I used my Metasploit on 10 point machine and had 55 points in. I was unable to rest and sleep. Anxiety was hitting me too hard. I was running low on time and I went down a rabbit hole on the 25 point machine. At around 10 at night, I decided to call it off.
It felt horrible and the next 2–3 days were spent mourning the loss. What next? I decided to purchase a HackTheBox VIP subscription and try on TJ Null’s OSCP like boxes. The next months were spent on doing HackTheBox. At this time I found IPPSEC’s youtube and to be honest, that channel has the biggest contribution in my OSCP journey. IPPSEC helped me built a methodology. How to approach HackTheBox? Try to solve the boxes on your own. If you ever get stuck try reading 0xdf’s or Snowscan’s writeup. They have some amazing writeups for some of the major boxes. Take good notes and screenshots and once done with a box go for IPPSEC’s walkthrough. This will help you built a methodology and realize things that you missed.
Once I had completed the TJ Null’s hackthebox list, I decided to PWN some active machines. Attempting active machines was the best decision of my journey and I learned a lot during this time. Attempting active machines pushes you to the limit as there is no walkthrough to help you this time. Some of the machines might not be OSCP like but I really believe that it helps strengthen your methodology. It also introduced me to new people on discord who would provide an easier method for a complicated task. This approach also helped me in rising through HackTheBox ranks and soon I was ranked Pro-Hacker. I also did some free rooms on TryHackMe during this time. Roughly speaking, I did about 100 boxes(HackTheBox, Vulnhub and TryHackme) this time.
Once I was confident enough I scheduled my examination. This time I had scheduled my examination a month prior and got a timing of my choice.
THE BIG DAY
I logged in to the proctoring tool at 8:15 AM and completed the verification process by 8:30 AM. I started my NMAP scan in a tab for the 25 points machine and started doing the Buffer Overflow machine first. This time I increased the font of Immunity Debugger to rule out any errors while looking for bad characters. In around 35 minutes I had an admin shell on the box. I spent the next 30 minutes taking notes and screenshots. Remember to note down and screenshot every step.
One hour into the exam and I already had 25 points. All my NMAP scans had finished by now. The next target I wanted to attempt was the 25 points one. To be honest, If I hadn’t decided to attempt this I would have failed the exam once again. The 25 points machine might have rabbit holes and you must attempt it when you’re fresh into the exam. Use a kitchen timer or your laptop clock to keep track of your recon. Recon smart. Scan every port and service. Google everything you can’t understand. I spent 2 hours chasing the rabbit hole and gave up on it. In the next 20 minutes, I had an initial shell and in the next 10 minutes, I was SYSTEM. GREAT..!!!
4 hours into the exam and I already had 50 points. At this point, I decided to take a break. I took a break for 2 hours watching YouTube and stuff. I returned after the break and tried luck at the 20 point machine but couldn’t get a shell. I didn’t want anxiety to build up so took a break for another 2 hours. I switched to the next 20 pointers but failed at it too. So I took another break, cleared my head, and started afresh. 40 minutes after returning from the break, I had a shell on one of the 20 pointers. 60 points in. At this time I felt exhausted, even though I had been taking more breaks than actually doing something.
It was 9:00 PM and I decided to go to sleep. I informed the proctor and slept from 9 PM to 4 AM. I returned at 4:30, fresh and calm. I needed just 10 points to pass. The next hour was spent enumerating the 10 pointer machine and finding a privesc on the 20 pointer. By 5:30 AM I knew what I had to do for the 10 pointer and the 20 pointer. I decided to take another break just so that I don’t mess up things in haste. I went for a walk and was back in half an hour.
I started with privesc on the 20 pointer. 30 Minutes in and root. 10 pointer next, 15 Minutes to SYSTEM shell. By 7:15 AM I had 80 points, I decided not to go for the remaining 20 pointer. Instead, I utilized the last hour of my examination taking screenshots again and again. I rechecked my notes and copy and pasted all the commands into CherryTree. I would recommend writing down your report during your examination as you might miss a command or a screenshot. I have a habit of logging everything and taking screenshots at every step, so this wasn’t an issue for me.
I signed off at 8:15. In total, I took breaks for more than 12 hours of my precious exam time. I didn’t want to lose to anxiety and fear, and frequent breaks helped me keep fresh and calm. You do not have to follow my footsteps but if breaks help, don’t shy away from taking one. Go easy on yourself. Offensive Security has the motto of Try Harder but I believe one should Try Smarter. I prefer not to take any energy drink or caffeine during the exam but go on and have it if it makes you feel fresh, just don’t abuse it.
Offensive Security provides 24 hours to send the exam report. You can also send the lab report and exercises for 5 bonus points. I had my exam report sent by the evening.
Tips and Tricks
Going from a noob to OSCP has been a hell of a Journey. Following are some of my advice for anyone aspiring to attempt OSCP someday.
- Learn Networking first: I cannot lay enough emphasis on how important understanding Network protocols are. YouTube has a lot of amazing content regarding this. If YouTube doesn’t help go for certifications like Network+ or CCNA.
- Learn how to code: I believe that anyone who says programming isn’t important or you just need to learn how to understand code is probably misguiding you. I agree that you do not need to have the skills of a software developer but you must have the skills to write basic programs. Learn how to code in at least 2 programming languages, mastering one of them. Learn how the web works and the concepts of SQL.
- Learn Linux and Bash Scripting: I feel the best way to learn Linux is by using it as your primary OS. This can be overkill for some but you will gain immense experience. I remember spending hours and hours just because I couldn’t get VMWARE to work on my distro every time I updated my kernel. Find a distro for your needs and install it on an old Laptop.
- Make good notes: Personally speaking, I used two formats for note-taking. One format is for detailed topics such as XXE, SQLI, SSRF or HackTheBox writeups. I used CherryTree for it. The next format is for the commands that I might require again. I used vim to make a text file and jotted everything in it. The main benefit of a text file is you can run grep on it straight from the terminal.
- Keep everything organized: Be it notes, screenshots, logs, and outputs. Make separate directories for exploitation, recon, privesc, etc. Use command-line utilities like tee to make a log of every command being run.
- Don’t be a STAN: Yup, you read it correctly. Don’t follow anyone’s footsteps inch by inch. Why do you think I failed on my first attempt? The answer is “setting up unrealistic goals”. Just because someone was able to do Buffer Overflow in 30 minutes doesn't mean you have to do the same. Setting unrealistic goals will make you panic if you fail to achieve them. It’s completely ok to take 2 hours doing recon on a machine. Develop your own methodology, find what works best for you.
- Don’t rush during the exam: I read more than 10 blogs before my first attempt describing how they could get passing marks in 12 or 13 hours, which is what I aimed for. Is this sustainable? It can be for some people but if you’re not used to working 10 hours in one go, avoid this path. I took approx 5 hours of break during day time and slept for 7 hours at night. I took more than 12 hours of break and reached 80 points an hour before the 24-hour mark. Success stories are ok but I believe you learn more from stories of failure.
- Do not get tunnel-visioned: One of the reasons why I failed my first OSCP attempt is that I got tunnel-visioned. Being tunnel-visioned means strongly believing that a service or a port is the attack vector. I remember trying SQL injection once for 2 hours straight just to dump credentials that were of no use. Just because you found an exploit or a service looks vulnerable, doesn’t mean it is the intended path. If things aren’t working out, leave it and try something else. This will help you stay away from rabbit holes.
- Use a timer: Use a kitchen timer or keep track of the clock. Allocate yourself a specific amount of time for a specific task. For example, if you find 4 ports open on a machine, do not take more than 30 minutes to enumerate a service/port. Leave services with larger attack vectors(ex SMB and HTTP/HTTPS) for the end. Leaving HTTP/HTTPS and SMB for the end will give you the confidence that you do not have anything else to enumerate and you can give more time to it. Assign 2 hours for a box and leave everything if you’re not able to get a shell unless you are close to compromising the target. Similarly, give yourself two hours for privesc.
- Don’t use automated recon tools if you are not comfortable: At my first attempt, I used autorecon to run my enumeration process. Though I believe Autorecon is a great asset to the recon process in CTF’s and other stuff. I could not use it to my benefit in the exam. I like to control my recon process and sometimes the autorecon output can be a bit overwhelming. Take SMB for example, Autorecon would run enum4linux and smbmap to enumerate the port, when in reality you only require a single command to map the entire SMB. Autorecon is a great tool but knowing your commands is better than any tool.
12. Do not leave your full-time job for the certification: Leaving your job will only increase the pressure on you. I agree that channeling all your energy into the certification will help but having no job will put more pressure on you during the examination. Having a job will provide you moral support if things are not going as expected.
- Buffer Overflow: Don’t judge me but I do not agree with people who ask you to discard Offsec’s Buffer Overflow methodology. The Buffer Overflow section in the video lectures provided is Gold. Watch the Buffer Overflow section multiple times and you won’t require any external help. Still, people looking for external help can check this amazing explanation by TheCyberMentor. https://youtube.com/playlist?list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G
2. Networking Essentials: For Networking stuff you can refer to multiple resources. Some of the following resources can be overkill but will surely help you to build a strong foundation
- Computer Networks — Neso Academy https://youtube.com/playlist?list=PLBlnK6fEyqRgMCUAG0XRw78UA8qnv6jEx
- Networking for Ethical Hackers — TheCyberMentor https://youtube.com/playlist?list=PLLKT__MCUeiyUKmYaakznsZeU4lZYwt_j
- Practical Ethical Hacking — TheCyberMentor https://www.udemy.com/share/102pCa/
3. Linux and Bash Scripting: Do not opt for OSCP if you aren’t comfortable with Linux. You will only be wasting your time troubleshooting things. You can use the following resources to sharpen your Linux knowledge
- Shell Scripting — HackerSploit: https://youtube.com/playlist?list=PLBf0hzazHTGMJzHon4YXGscxUvsFpxrZT
- Beginner Linux for Ethical Hackers — TheCyberMentor: https://youtube.com/playlist?list=PLLKT__MCUeiwfK18Io6kvwrrhqQyQnV5W
- Bandit OverTheWire — John Hammond: https://youtube.com/playlist?list=PL1H1sBF1VAKUsYdQd94dO9MgSaY2p1AJ4
- OverTheWire: https://overthewire.org/wargames/
- Root-Me: https://www.root-me.org/
- Explain-Shell: https://explainshell.com/
4. Basic Web App Pen Testing:
- Web Application Penetration Testing — TheCyberMentor: https://youtube.com/playlist?list=PLLKT__MCUeixCoi2jtP2Jj8nZzM4MOzBL
- Burp Suite Tutorials — Hackersploit: https://youtube.com/playlist?list=PLBf0hzazHTGP2L7AoWTIhggUsDdNZhfBl
- Practical Ethical Hacking — TheCyberMentor: https://www.udemy.com/share/102pCa/
5. Developing Methodology and Mindset: If I had to recommend a single resource it’s gotta be IPPSEC. His videos helped me a lot. It helped me develop a mindset, shaped my methodology, and taught me how to escape rabbit holes.
6. SQL Injection: SQL injection can be very painful if you’re not familiar with the SQL syntax. You can follow these resources and I promise you’ll get almost any machine vulnerable to SQli in the labs.
7. Privilege Escalation: If you’re looking for video lectures, go for TheCyberMentor’s privilege escalation courses on Udemy.
- Windows Privilege Escalation — TheCyberMentor: https://www.udemy.com/share/102YD8/
- Linux Privilege Escalation — TheCyberMentor: https://www.udemy.com/share/103eEu/
8. Active Directory: The Cyber Mentor’s Practical ethical hacking course will give you an amazing foundation of common AD attacks.
- Practical Ethical Hacking — TheCyberMentor: https://www.udemy.com/share/102pCa/
- Getting interactive shells: https://netsec.ws/?p=337
- SUID and SUDO exploitation: https://gtfobins.github.io/
- Reverse shell cheatsheet: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
- Bypassing UAC manually: https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
- Enumeration Mindmap and Breakdown: https://github.com/theonlykernel/enumeration/wiki
- Windows Kernel Exploits: https://github.com/SecWiki/windows-kernel-exploits
The pdf provided by Offensive Security is pure Gold. Is it enough to pass the examination? Absolutely Not. The PDF might not have everything required to pass the examination but it does help in laying a strong foundation. Combine the PDF with the video lectures and you’ll have a solid understanding of most of the required skills. I personally prefer the PDF as it was more detailed and well structured. The video lectures did a better job at explaining Buffer overflow.
Offensive Security also provides 5 bonus points for submitting a lab report and exercises. Would I recommend it? Absolutely, doing the exercises will sharpen your skills. Do not skip them.
The rocketchat and discord support is amazing. The student admins know their shit and will always be happy to help you. The forums are a bonus treasure and I personally found them quite helpful.
The labs are a great environment and to be honest, I never felt any issue in the labs. There was hardly any incident of someone resetting the lab while I was working on it. The VPN is stable and in fact, Offsec extended my lab 3 times whenever there were some issues with their servers, isn’t it nice?
Are the lab machines similar to the exam machines? YES and NO. In my opinion, the most similar machines in labs were Alpha, Beta, and Gamma. The machines in the examination were more tricky and more real life.
Do not rush your labs. Focus on learning as much as you can. Once done with a machine go and read the forums, you might discover a new attack vector. Talk to fellow students at rocketchat and discord. Learn how they approached a machine. Give yourself time, and ask for help once you’re out of options.
Keep yourself calm during the labs, I remember struggling with anxiety when I did sufferance and Humble. During exam time go for both the 25 pointers at the beginning. The 25 points machine will probably have rabbit holes and having 50 points early will boost your confidence and help you calm down. Drink a lot of water, take frequent breaks.
Apart from the Offsec Labs, I did TJ Null’s HackTheBox OSCP like boxes. Try to do the boxes on your own. Struggling during the prep phase will help strengthen your mind for the exam. Once done go and watch IPPSEC’s video on how he did it. You can watch a video or read a walkthrough if you’re stuck for too long. Make sure to make detailed notes of how you did a box. Note down important commands in a text file. Another great place is the Offensive Security Playgrounds. Beginners can also try their luck at TryHackMe.
How to tackle Windows machines
Many people find doing Windows boxes tougher as compared to Linux ones. The initial foothold will be similar to Linux machines, for the privesc section make sure to complete TJ Null’s windows machines. It will boost your confidence and help you learn new tricks. Learn how to use Powershell. Powershell is a powerful scripting language and will make some tasks easier. Following is the documentation I used to understand a windows command.
Thank You for reading. The past 7 months have been tough. The certification can be exhaustive. Don’t forget to take a break.
Keep learning, Keep Hustling and don’t forget to Try Harder. Thank You OFFENSIVE SECURITY. Until next time.
Contact me on Twitter @accesscheck.