ImageForTitle

OSCP Journey

Date: November 23, 2021

Go To:

Summary
Top Resources
Study Breakdown
Exam 1
Exam 2
Exam 3
Report Writing
Final Thoughts

Summary:

Highly recommend going through the OSCP certification, the amount of knowledge I gained throughout my studies was astounding. I signed up for the 90-day PWK Course in April and got my OSCP in November the same year on my third exam attempt. When I first signed up the PWK course I had very basic Penetration testing knowledge, I could barley do an easy box on Hack the Box and that’s only with hints. I do have about a year and half work experience managing/supporting Linux and Windows Servers. This did help me as I was very comfortable navigating around a server, and dealing with custom made scripts written in Bash, PowerShell, and Python. If you’re contemplating waiting or just going for it; I’d say if you have fundamental knowledge of Servers and Cyber Security then that’s good enough to start. You’ll learn what you need to as you go.

Top Resources:

Hacking platforms
Proving Grounds
Try Hack Me
TJ Null List

Content Creators
Tib3rius Priv Udemy Linux Priv Escilation
Tib3rius Priv Udemy Windows Priv Escilation
Tib3rius Buffer Overflow
The Cyber Mentor
Alh4zr3d BOF
Alh4zr3d Twitch Stream
John Hammond's YouTube
Ippsec YouTube

Note taking software
CherryTree Notes

Study Breakdown:

PWK PDF book - Once you sign up and pay the course fee, it takes about a week (at least it did for me) to get your ‘start’ date which is the date you officially start the PWK course and get the PDF book. I highly recommend going through the PDF and actually performing the exercises in the Lab environment. It’s easy to skim and not think it’s needed but going through the exercises will get you to actually learn each topic in detail. You get 5 extra points if you complete all the exercises, but I don’t think it’s worth it because there are A TON of exercises, and it will take too long. Instead, just spend a day on a chapter. If you can’t fully complete the exercises, at least you did enough to understand the topic deeper. For the first month I went through the PDF exclusively.

PWK Lab – Along with the PDF book, you also get access to the Lab environment, and the ‘student forum’. Where other students can help with hints on the Lab machines. I didn’t spend too much time here, there is a list of around 7-8 machines it says to start off with and will give hints on how to exploit them. I basically just did those machines which took about half a month.

Hacking Platforms –
Proving Grounds: On my Third Month I felt comfortable enough to start practicing on hacking platforms and went straight to Proving Grounds which is Offensive Security’s Hacking platform. It was highly recommended, and I will put my stamp on that recommendation as well. The machines have the same feel as the OSCP machines, and was the best preparation for the exams. Before my 1 Exam attempt I did about 30 machines in the paid ‘Practice’ section, through the whole studying I did about 50 machines. I used TJ_Null’s list as a guide to which ones to make sure to cover.

Try Hack Me: I basically only did the SQL Injection, LFI, and Buffer Overflow Prep rooms. The Buffer Overflow Prep room is the go-to study/practice material. The LFI and SQL injection rooms were good, and helped me practice on those topics more. There are plenty of rooms to practice and touch up on certain skills, so feel free to check others out as well.

Content Creators -
Tib3rius: His Priv Escalation courses on Udemy are very good, they are straight to the point and shows him running through each of his topics. The Buffer Overflow Prep room on Try Hack Me is the 'go to', to practice BOF and is a necessity.

The Cyber Mentor: His courses are very beginner friendly, and does a good job making topics easy to understand. I would recommend it being the starting point if you don’t want to purchase the PWK course just yet but want to get a better understand of what to expect when studying for the OSCP.

Alh4zr3d: I found his content towards the end of my journey, and I wish I found it sooner. His Buffer Overflow video is in my opinion the best at explaining what’s going on. I try to catch his twitch stream as often as I can. He has it during the evenings Tuesday, Thursday, and Sunday. Where Tuesday is his ‘noob Tuesday’ and goes through boxes while explaining as if everyone is a ‘noob’. Which is great because if you are unsure of why certain commands are ran, or about certain methodologies, this is the perfect time to ask.

John Hammond and Ippsec: Grouping together because I used their content in similar ways. They both post walkthroughs going through different boxes or Try Hack Me rooms. Which is very helpful as I can see how they deal with certain problems, and thier methodologies.When I’m not doing any hands on practicing, it’s nice to just watch a few videos and get some helpful information while being entertained.

At the end of my 90-day Course period I scheduled my exam for a month out. The slots do fill up quick, so schedule as soon as you can. You are also able to reschedule up to 3 times in case something comes up preventing you from the taking the exam as long as you do so within 48 hours of the exam time. All three of my exams started at 5PM, as that time works best for me. Your screen will be proctored and no cell phones are allowed next to you. You are allowed to enter the proctored room up to 15 before the exam. It will be through a browser extension, and will require a webcam to be set up.

Exam 1 FAIL (55-points):

5PM – 10:00PM
I started my exam at 5PM, got my machines and for the first 30 minutes I was trying to set everything up including my nmap scans on the 4 non-BOF machines.
For nmap scans I use: sudo nmap -A -p- (ipaddress) |tee nmap-scan.out
Once I was set up, I started on the BOF (25-points) and went through my steps. It took a lot longer than I wanted, but I finally got my exploit script working around 9:30PM. I had got stuck and decided to go through the whole process again to see what was causing my script to not work. It ended up being I had written down my IP address wrong so my payload was being sent to the wrong IP address. I took about a 30-minute break afterwards.

10:00PM – 12:00PM
To get quick points I went to the easy box (10-points) and didn’t have to much trouble. I enumerated each port that appeared in my nmap scan. Eventually found the right exploit, and got the needed flag. Took about a 20-minute break afterwards.

12:00PM – 5:00AM
By Midnight I only had 35 points and was discouraged because I had planned to have 55 points by the time I go to sleep. I still very focused, so I decided to keep going and started on one of the Intermediate (20-point) machines. I got an initial foothold around 3:00am, and took a quick break. I thought I was still feeling okay, and I’m very comfortable with Privilege Escalation so I wanted to keep going. I found the right path pretty quick, but was having issues getting it to work. Around 5:00AM I got the exploit working and was able to get the needed flag.

5:00AM – 10:00AM
Here I took a nap. Just kidding, here is where I SHOULD HAVE TAKEN A NAP; however, I was stubborn and had adrenaline and stayed up. In my head I was saying I just need one more box and I pass this exam that I was so excited to get. I felt my stubble with the BOF just through me off and I didn’t have much trouble with the two other boxes so far. I made the poor decision to keep going, I checkout the ports. Tried a few things that didn’t work, and tried some other things that didn’t work. Time flew so fast and by the time I knew it, it was around 10:00AM. Then I hit a wall, a sleep/exhausted wall.

10:00AM – 4:45PM
I was feeling the sleepiness hard, and could not focus on anything. I kept catching myself staring onto the same work for 10 minutes straight. I felt it was too late to take a nap, and pretty much made zero progress. Time was up and I ended the exam with 55-points.

I felt the biggest hit was my initial struggle with the BOF, it got me to a bad start and I should have finished it a lot sooner which would have let me get my goal of 55-points before I fell asleep. I scheduled my exam for a month away (the required cool down period). I got busy with work and didn’t really do much studying in between. Probably just 4-5 boxes on Proving Grounds during the whole month.

Exam 2 FAIL (45-points):

5:00PM – 7:30PM
Started my nmap scans on the 4 non-BOF machine, then started working on BOF. Took about an hour and half – two hours to get BOF.
For nmap scans I use: sudo nmap -A -p- (ipaddress) |tee nmap-scan.out

7:30PM – 10:00PM
I went to the easy 10 pointer and was having issues running a python script. I was getting specific module failures and tried to resolve but wasn’t able to. During my studies I modify the environment and I believe I must have messed up the needed modules. I would try uninstalling and installing but couldn’t get it work. I don’t end up rooting this machine during my exam. I strongly believe I had the right path but couldn’t get the script working (weeks later I realize it was my VM and ended up restoring from old snapshot before my third exam).

10:00PM – 2:00AM
Without getting the easy box, I decided to switch to one of the intermediate (20-point) box. I was enumerating and thought I found some intriguing paths, but ended up not getting anything during this time.

2:00AM – 8:00AM
Remembering how sleepy I was during my first exam I had to take a nap on this attempt. Which I did, and woke up around 8AM.

8:00AM – 11:00AM
I switched to the other intermediate (20-point) box and started enumerating from the nmap scan results. I was able to get an initial shell in about two hours and root in about an hour.

11:00AM – 5:00PM
With 45 points, I would either need the hard or both easy and intermediate boxes to pass. The hard box looked pretty intimidating (you’ll know when you see the hard boxes). Since I had already enumerated/ worked on the easy and intermediate, I decided I already had progress on those and went that route. I spent most of the time on the intermediate and got really far in a path. I just couldn’t get an initial shell and didn’t get any points. For the easy, I still couldn’t get the python modules working and wasn’t able to get any points either. I ended up failing with 45-points.

I wanted the required 2 months to book my third exam (This was way too much time and the extra time didn’t help at all). During this time, I really didn’t do any OSCP studying except for maybe a week before the exam to take off some rust. Having taken the exam twice already, I pretty much knew the ‘feel’ of the exams. I reset my VM to an earlier snapshot because I was having python module issues on exam 2.

Exam 3 PASS (90-points):

5:00PM – 6:30PM
Started my nmap scans as normal on the 4 non-BOF machines. Was able to get BOF in about an hour and took a break afterwards.
For nmap scans I use: sudo nmap -A -p- (ipaddress) |tee nmap-scan.out

6:30PM – 9:30PM
I moved to the easy (10-point) box and enumerated really good. I had a really good feeling on a certain path, but kept trying different ways and couldn’t get it working. I didn’t want to waste more time so I switched boxed.

9:30PM – 2:30AM
I switched to one of the intermediate (20-point) box and got an initial shell around 1:00AM. The privilege escalation wasn’t too difficult for me and I got the needed flags around 2:30AM.

2:30AM – 6:00AM
I took a break at 2:30AM to take a nap. I tried, but was not able to sleep. I decided to go back to the exam and try the other intermediate (20-point) box. I was able to get the initial foothold and escalate my privileges

6:00AM – 12:00PM
Took a much-needed nap, and felt so much better. This is where I should have taken a nap on my first Exam, but you live and learn.

12:00PM – 1:00PM
I just need 5 points to pass, so I try to go back to the easy box and keep trying my exploit. After an hour I can’t get it work and start feeling nervous. I didn’t feel like I was getting anywhere so I decided to just leave it and go to the hard box.

1:00PM-4:45PM
The hard box, was well… hard. It took about 3 difficult hours to get the initial foothold. The privilege escalation was a bit difficult to find, but I was able to get it working just in time. I got root/system access and the needed flags around 4:30PM. I ended the exam passing with an expected score of 90 points.

Report Writing:

The report wasn’t so much hard, as much as it was tedious. I took screenshots and notes throughout the exam. Once I finished the exam, I just organized the notes and screenshots to make it where someone can follow step by step. Make sure to have screenshots of the ipaddress, the user you are, and the output including the FULL path name to each flag. The report took about 4-5 hours to complete, but I took many breaks in between. The way that I formatted the ‘walkthrough’ sections for each box was I would be similar to below:


  *give brief sentence describing what I’m about to do*
  Run: Put command here
  *put screenshot of command running and output, highlight any key output*
             

Final Thoughts:

Going through the course is definitely worth it, I’ve learned so much and it’s a course where you actually have to perform and showcase what you’ve learned. If you can go through intermediate boxes on Proving Grounds without any hints or walkthroughs, in my opinion you will do good on the Exam. Take breaks often, and be careful for rabbit holes. When first enumerating a box, take up to 15 minutes per port. Once you go through the ports, take a step back and do triage. See which looks most interesting and dig deeper. When all else fails, enumerate more.

If you want to do a 'practice exam' I would recommend picking four boxes from TJ Nulls List - an easy, two intermediate, and one hard box. Then take a day and try to root all the boxes, and the BOF from Tib’s Try hack me room. Do this without any walkthroughs or hints and work through the struggling. Get as far as you can, and afterwards you can look at the walkthroughs.

Hopefully this writeup helps, and good luck on the OSCP I believe you can definitely pass it.