OSCP Journey: How I Passed OSCP with 100 points in 10 hours
Introduction
Having read a tonne of write-ups from people who have passed the Offensive Security Certified Professional (OSCP), it’s safe to say there is plenty of information out there on how to prepare for this certification, and that same advice also helped me to devise my approach towards the OSCP. This post only seeks to give insight into my approach for taking on the OSCP certification, which led me to pass the certification exam with 100%. This covers my OSCP journey and it is designed in a way that it can advise others who wish to take on the certification.
Disclaimer: There is now a lot of information available about preparing for OSCP. In as much as this is a good thing, this can be a double-edged sword. Having too much information can be a bit overwhelming, so I do advise curating the information you use for your preparation.
Initial Study
I already had penetration testing experience from work and CTF platforms such as HackTheBox, but for my OSCP I set out to take the long route and learn as much as possible in the process.
Looking back, I think this was a great decision, it made me a better pentester and made the OSCP journey an enjoyable experience.
As an initial study path, I started by completing TCM Security’s 25-hour Practical Ethical Hacking course. The course covers the basics of the key penetration testing phases and can be helpful to add to your pen-testing methodology.
Disclaimer: Even though the OSCP is an entry-level certification it does require penetration testing experience for you to be able to complete it. Your experience should cover both gaining an initial foothold on systems and escalating privileges on both Windows and Linux.
To solidify my privilege escalation methodology, I completed the following courses by Tib3rius:
Reflecting on these courses after completing the OSCP certification, I can vouch that these courses do a great job at covering the OSCP privilege escalation vectors.
To ensure that my privilege escalation methodology was completely bulletproof with no gaps, I also completed the equally highly recommended privilege escalation courses by TCM Security:
After completing these courses, I noticed there was a lot of overlap between the two sets of privilege escalation courses, but it was alright since it helped to fortify my knowledge and notes as well.
It’s important to add to your notes as you go through the journey, as you learn something new always add it to your notes because you will most likely encounter it again, either during your practice, labs, exam, or even during an assessment at work.
Practical Preparation: TryHackMe & HackTheBox
I started my practical preparation by completing the TryHackMe Offensive Pentesting Learning Path. This is a comprehensive practical learning path, ideal for preparing for the OSCP PWK/PEN-200 labs and it includes everything, from basic exploitation to buffer overflows and Active-Directory (AD) attacks.
The biggest resource I used to practice and prepare for the OSCP was TJ_Null’s list of OSCP-like VMs. At the time of writing, this list is made of OSCP-like machines from Vulnhub, HackTheBox, and Offensive Security’s Proving Grounds (PG). This list is constantly updated and it’s great for practicing your practical pentesting skills towards the OSCP, allowing you to identify any gaps or weak points you may have. This allows you to improve your pentesting methodology as you get more experience. For my preparation I completed all the HackTheBox machines on the list (92 at the time of preparation), this includes the machines categorized as more challenging than OSCP.
I refrained from using Metasploit during my preparation. My overall approach was to solve the boxes first and then refer to a write-up or IppSec’s walkthrough video, just to see how others solved the same box. You’ll be surprised by the other techniques that could be used to compromise the same host.
Note: If you are unable to gain access or escalate privileges on a host, it’s completely fine to refer to a write-up so that you can learn how to do it. This is still a great way to learn and add new techniques or tools to your arsenal.
The OSCP Course & Labs (PWK/PEN-200)
I subscribed for the OSCP 90-day lab access package and during the lab period:
- I read the Penetration Testing with Kali Linux (PWK/PEN-200) PDF material and completed all the exercises required for the lab report. I completed the lab report not solely for the 5 bonus points you get for submitting your lab report and course exercises, but more for gaining an appreciation of the full OSCP experience as Offensive Security intended.
- The prior preparation and pentesting experience started paying off as I managed to successfully compromise multiple lab machines including the Big 4 (Pain, Sufferance, Humble, and Gh0st) and unlocked access to the IT Department and Development networks.
Disclaimer: Completing the course exercises for the lab report takes a lot of time, I only recommend completing them if you have enough time. They allow you to practically follow the course material, plus you get 5 bonus points in the process. Completing the lab report can also get you to be more comfortable with the report format that you will use for your final exam report.
Overall, I think the PWK/PEN-200 labs provide a great environment for practicing and applying the concepts taught in the course and this is equally a crucial part of preparing for the OSCP exam itself. There are not many practice environments where you get to practice techniques such as Active Directory attacks and pivoting. Although techniques such as AD attacks may not be a part of the exam itself, they are still important techniques that you will use in real-life assessments. The PWK/PEN-200 labs go beyond just OSCP exam preparation. That, combined with the fact that the labs also include some retired OSCP exam machines, only makes them even better.
For anyone in the PWK/PEN-200 Labs, I do recommend attempting to pwn the Big 4 machines. Successfully compromising these big machines not only boosts your confidence but also teaches you the “Try Harder” mentality.
For more information on the lab network layout, check out the PEN-200 Network Introduction Guide.
Final Exam Preparation: Proving Grounds
After completing the labs, I proceeded to complete all the Offensive Security Proving Grounds (PG) machines on TJ_Null’s list (34 at the time of preparation). With additional lab time on my hands, I completed additional PG machines on top of the listed VMs. I have listed the additional machines (in orange below), they are great if you are also looking for more OSCP-like machines to practice on.
I highly recommend the Offensive Security Proving Grounds (PG) Practice training labs. I think it is the best lab environment to use to prepare for the actual OSCP exam. In comparison to the other platforms, it’s closer to the actual OSCP exam machines. Well, they are vulnerable machines developed by Offensive Security after all, so it’s to be expected. As a bonus advantage, PG also has some retired OSCP exam machines too.
For my final buffer overflow preparation, I used the TryHackMe Buffer Overflow Prep room which provided an excellent platform for mastering stack-based buffer overflows with different bad character sets.
At this point, I felt I was ready to take on the exam. I rescheduled my exam to move it days earlier because I felt there was nothing left for me to do in preparation for the exam.
The 24-Hour Exam
My exam was scheduled to start at 20:00 and I connected to the proctoring software exactly 15 minutes before the scheduled exam time and used the time to complete the identity verification and proctor set up tasks.
Going into the exam, I had everything lined up perfectly, my workspaces, enumeration terminals, and web browsers all fired up and ready to go. My strategy was to go for the machines in descending order of points, starting with the 25-point Buffer overflow machine (25 → 25 → 20 → 20 → 10).
At exactly 20:00, I received the VPN pack and connected to the exam VPN. I kicked off by starting my Nmap scans against all the targets and immediately started cracking at the Buffer overflow machine. Less than 40 minutes in, I was done with the Buffer overflow machine. I then proceeded to gather and organize my enumeration results and took a quick break to power up and go back in guns blazing at the 25-pointer machine.
25-pointer machine
At 21:00 I started going for the 25-pointer machine. After 2 hours working on the machine, I had successfully gained an initial foothold on the machine and completed my privilege escalation enumeration. I was pretty sure I knew what had to be done but I couldn’t seem to make it work. So went on to take a short 15-minute break to re-calibrate. Went back in, more relaxed this time. I went back to my enumeration, step by step right up to my exploitation attempt, and asked myself why it’s not working. That’s when I saw where I had made a slight oversight, I corrected it and then this time it worked 😊 So, at around 23:00, with both 25-pointer machines done. At this point, the momentum was running high, only 4 hours into the exam and I was halfway through. Sitting at 50 points with 3 machines remaining. Getting a pass mark (70 points) was now easy, I just needed one 20-pointer machine, it’s literally the shortest path to root. I then went for a 30-minute break to cool off, grab a snack to keep the energy levels high.
20-pointer machine
23.30 I started going for the first 20-pointer and within less than an hour I had initial access. I took a deep dive on my privilege escalation enumeration, took my time crossing out potential escalation vectors. After “enumerating harder” as they say, I managed to fully compromise the first 20-pointer. This was around 01:30, less than 6 hours into the exam and I was super ecstatic that I had acquired a pass-mark, without deviating from the initial plan of hitting the targets in descending order. I then went for my 30-minute break, gearing up to come back for the 2 remaining targets.
20-pointer and 10-pointer machines
After two and half hours cracking at the machines, with solid enumeration, I managed to fully compromise the second 20-pointer machine and the 10-pointer machine. The 10-pointer machine was definitely the easiest, it literally took me less than 20 minutes. So now it was 04.30 and I had fully compromised all the targets. Super excited, I went a short break before I ended the exam, so I could clear my mind, come back and verify that I had captured everything I needed for the report, all the commands, and screenshots. The verification process turned out to be pretty easy, I had captured everything already. From there I proceeded to terminate the exam, and by 05.00, 10-hours after the exam began, the exam ended in victory. To make it better, I didn’t even use my Metasploit allowance, all my manual exploitation attempts worked. Awesome 🥳
Report
Now I had plenty of time left for the report, with 14 hours left from the 24-hour exam combined with the additional 24-hours given by Offensive Security for reporting. The report was a breeze, I used the official documentation template by Offensive Security to draft my report. I submitted my report, after making sure that it included all the steps taken to compromise each host, including all the commands, proof-of-concept scripts, and screenshots, such that a competent reader would be able to replicate my steps from start to end.
Exam Results
As expected, Offensive Security was quick to get back with the results. Two days after submitting my report, I received the email confirmation that I had passed my OSCP 😊
Finally, my OSCP journey was now complete.
Final remarks
The OSCP is not difficult if you have enough pentesting experience. Your experience will not only acquaint you with the techniques you need to know, but it will familiarize you with the ability to perform manual enumeration, identify rabbit holes and enable you to accurately identify the intended exploitation route.
With that said, for those preparing for the OSCP I highly recommend completing the HTB and PG OSCP-Likes machines. Go a step further and pwn as many machines as you can on PG. As you go through the boxes, make sure you add any new techniques and commands to your notes.
Above all enjoy the journey and get your OSCP 😊
Thank you for reading my journey, I hope you enjoyed it or found it insightful.
Feel free to get in touch with me on my social media handles:
General Tips
- Try Harder really translates to enumerate harder and keep on trying.
- If you find something interesting, such as a password, take note of it, you may need to use it somewhere.
- Do not solely rely on automated privilege escalation enumeration scripts. Instead, master your tools, know exactly how they work, understand the output, and then compliment the tools by being able to perform targeted manual enumeration.
Exam Tips
- Take the shortest path, go for the boxes in descending order of points, you can get enough points quickly this way.
- Again, enumerate and enumerate further. Check every port, every banner, and remember, Google is there to aid your research.
- The PWK/PEN-200 course covers pretty much all the attack vectors and techniques you need to master and apply to pass the OSCP.
- Refrain from using Metasploit unless you have completely exhausted the manual exploitation route.
- If you’re stuck, take a break and re-calibrate. Go back to your enumeration and go through all the potential routes.
- If you try something a couple of times and it doesn’t work, maybe it isn’t meant to work that way, think differently.
- Time management is equally important, 24-hours may seem like a lot, but you work best when you still have your energy. So, make sure you take breaks, eat, rest and pwn more machines.
- Organized note-taking will save you a lot of time, make sure you capture every command and screenshot for your report.
Useful Resources
- OSCP-Preparation-Guide — https://github.com/Cyber-Junk/OSCP-Preparation-Guide
- Exploit-DB — https://www.exploit-db.com/
- PayloadsAllTheThings — https://github.com/swisskyrepo/PayloadsAllTheThings
- HackTricks — https://book.hacktricks.xyz/
Initial Enumeration
- nmapAutomator — https://github.com/21y4d/nmapAutomator
BOF
- Buffer Overflows Made Easy — https://www.youtube.com/watch?v=qSnPayW6F7U
- TryHackMe Buffer Overflow Prep — https://tryhackme.com/room/bufferoverflowprep
Privilege Escalation
- Windows Privilege Escalation Awesome Scripts (WinPEAS) — https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
- Linux Privilege Escalation Awesome Script (LinPEAS) — https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
- Pspy — https://github.com/DominicBreuker/pspy
- GTFOBins — https://gtfobins.github.io/
- LOLBAS — https://lolbas-project.github.io/
- Linux Exploit Suggester — https://github.com/mzet-/linux-exploit-suggester
- Windows Exploit Suggester — https://github.com/bitsadmin/wesng