hack -h

A technical guide with a focus on computer security. Your walkthrough to Penetration Testing and Computer Defense.

Passing OSCP

by gr0k

30 March 2019

Tweet

Last September I wrote about my first attempt at the OSCP exam. My goal was to complete the certification by the end of 2018 and today I’m writing about the process I used that helped me pass on my second attempt. Rather than buy more lab time, I decided to use the Hack the Box platform to prepare.

What follows is the process I used to prepare, a few lessons learned, the tools I found most useful, and some thoughts on the new proctored exam format.

Process

Aiming to finish by 2018 gave me about 2.5 months to prepare. When I first got on HTB, I started working on Carrier, and took almost a week to work through it. I realized if I spent a week or so on each box, I wouldn’t have nearly as many repetitions as I’d like before taking the exam again. I wanted a faster way to learn from my mistakes. Having completed more than half of the boxes in the OSCP labs, I knew I had the skills I needed, I just needed to hone my technique.

My solution was to mix the “Try Harder” attitude with a way to get a nudge in the right direction when I got stuck. I got a VIP subscription to Hack The Box which gives you access to their retired machines. Each of their retired machines has a write up and video walk through of how to gain access to each system. The videos are done by Ippsec, and while you can watch them on Youtube, you need the VIP HTB subscription if you want access to the retired systems so you can follow along yourself.

I started out by just watching walk-throughs of the hardest ranked boxes, picking up more than a few new techniques along the way. After two or three videos, I began working on the easier boxes and applying the skills I’d learned. When I eventually got stuck, I would give myself anywhere from 20 minutes to an hour to struggle, and if I was still stuck after that, I’d pull up the video guide to figure out what I was missing.

When I first started, every single time I pulled up the video guide I learned about a new tool or technique I had no idea existed. I remember struggling to find a foothold on a Word Press site, and later learned about WPScan to enumerate plugins. On another system, I couldn’t figure out why an exploit I was sending to a web browser wasn’t working, and learned a sweet trick to base64 encode it through Burp Suite, ensuring the payload gets properly sent to the target system. When I started, I was jumping to video guides for every single box. After about four or five systems though, I referred to the guides less and less, and when I did reference them, my problem was mostly not paying attention to the results of my enumeration.

I gave myself about a month to build up my skills on Unix systems, and another few weeks to focus on Windows. Watching someone go through the linux enumeration scripts and getting an understanding of what to look for made a world of difference. When I finally took the exam and was working on privilege escalation, it took me all of 30 seconds to see exactly what I needed to elevate privileges. Learning the capabilities of the tools at your disposal by watching someone who knows them inside and out significantly increases your ability to learn. You absolutely have to apply the techniques yourself to ensure you have them down cold, but I found having a guide who could point you in the right direction when you got stuck helped significantly reduce the frustration of not knowing where to look.

Lessons Learned

If you’re not running a scan in the background while you’re doing something else, you’re wasting time. Get your scans started immediately, and check in on them from time to time. Once a scan has actionable results, use that information to enumerate further. You don’t want to find yourself stuck waiting for the results of a scan to come back.

Don’t rely on the meterpreter payload or automated tools as you can’t use them on the exam. It is helpful to have a strong understanding of how to use metasploit as a handler for your custom payloads. HTB is a fantastic resource for learning how to do this well. Practicing with searchsploit and being able to quickly examine and copy down payloads was a big time saver.

Understand how to troubleshoot your exploits. Learning how to use Burp Suite was the single biggest help for the exam. The ability to proxy your attacks through Burp so you can see exactly what an exploit is sending is invaluable. In one case, an exploit wasn’t appending a slash to a URL, which was causing the attack to break. I saw the problem immediately when I finally used Burp to proxy the attack, but my initial attempts to troubleshoot took up a lot of time. Check out Ippsec’s videos, he uses Burp in just about every one, and there’s a ton of cool tricks to pick up.

For privilege escalation, understand what to look for in the host enumeration scripts. Ippsec’s videos are again a great resource for learning this. In my opinion watching someone go through this process was incredibly more valuable than stumbling through it myself. You really get a sense of what to look out for, and how to use that information to get root.

Keep your exploits and tools organized. I made a copy of the directory-list-2.3-medium.txt wordlist as medium.txt and saved it in my pen test directory to make it easy to reference when using Gobuster. Pre-compile and test your exploits as best you can, especially for Windows. I saved and tested the Eternal Blue exploits as well as various windows exploits for easy reference during the exam (Links for both below).

Learn how to improve your shell to a full TTY. Nothing is worse than being stuck at a terminal with no history or tab complete.

Document your work as you go. Having a digital notebook of techniques and commands to reference makes life significantly easier in the future. At the end of the day, you are limited to what the operating system and installed programs allow you to do. Once you’ve figured out the commands to execute an attack, saving them so you can repeat the process is incredibly beneficial. Don’t re-solve problems you’ve already figured out.

Practice makes perfect. There are only so many ways to get into a machine. You’ll begin finding patterns and instinctively understanding what services to target the more boxes you work on. Start by trying the low hanging fruit and work up. If a box has SMB and SSH open, SMB will be your most likely way in. By using the HTB walk-throughs as a guide, I was able to work through boxes faster than I had in the OSCP labs. With the increased repetitions, it was easier to see patterns between systems and hone my enumeration process. As I better understood what to look for and what tools to use, getting into systems got easier.

Tools

The following are compliments to the tools discussed in the PWK book. The tools below by themselves won’t be enough to exploit systems, but they make life easier.

Sparta. This was super useful for keeping everything organized during the exam. You can use it to run your initial nmap scans, and it will provide you additional options based on the results. For example, if port 445 comes back open, you can right click and run enum4linux through it’s GUI.

Burp Suite. As mentioned above. Most of the boxes I had for HTB and my exam had some web component. Burp was essential for working through them.

Foxy proxy. This is a neat plugin for Firefox that allows you to easily set proxy controls for the browser. Pairing it with Burp allows you to quickly change between sending requests directly to the web server or through Burp.

Gobuster. A command line tool to easily enumerate web directories written in Go. I found it easier to use than dirbuster, which is what Sparta utilizes if you use for web enumeration.

Tmux I found using tmux to efficiently manage exploits and listeners/shells from a single terminal window was useful. Having all the information you need in front of you at the same time instead of constantly switching between terminals and screens was a big quality of life improvement.

Resources

Repositories and walk throughs I found most useful for my second exam:

Payload All the Things. A github repo of bypasses for web attacks.

File Transfer Techniques. Number of different ways to easily transfer files to target. Once you figure out how to get command execution, these tricks to getting a payload to the target are good to know.

Pentest Monkey Reverse Shell Cheat Sheet

High On Coffee Pentesting Cheat Sheets.

Windows Exploit Suggester

Windows Priv Esc Scanner Note: Deprecated, but useful powershell script. The upgraded, Watson, is a full executable that requires the correct .NET framework on your target, which is more complicated to execute

Pentest Monkey Windows Priv Esc Check

Eternal Blue for OSCP

Precompiled Windows Exploits

Exam Scheduling

I tried scheduling my exam about a month in advance, and all the dates and time slots I wanted were taken. Check back every day. Someone is going to cancel. You might not get your ideal time slot, but you can get pretty close.

Proctoring Setup

Long story short, check in as early as possible to get your webcam and ID check done.

OffSec has implemented proctoring procedures to prevent cheating. To ensure the person signed up for the exam is the person taking it they now check your ID at the start of the exam, they require you have a webcam up throughout your test, and they monitor your desktop. They recommend checking in about 15 minutes before your exam start time to get up and running.

I had to pick up a webcam for the exam. I checked it worked beforehand, and checked in 15 minutes before my exam time to set up the proctoring session. For some reason, my webcam would not integrate with their web system, and I lost almost an hour of exam time troubleshooting with the proctor. In the end, I had to run the webcam locally and the proctors had me keep the camera app visible on the desktop so they could monitor it through their remote desktop viewer. The camera was also bad at focusing on close objects, so I had to send picture of my ID. Bit of a hassle, but the proctor was super helpful and easy to work with while troubleshooting. It’s easy to communicate with them, and they really don’t have an issue if you leave to get food or go to sleep for a bit, you just have to let them know when you are going to take a break.

All in all, minus the technical frustrations, the proctoring was unobtrusive and straightforward.

Going Forward

I don’t know what my score was, but based on the point allocations, I was definitely right on the line. I didn’t submit the lab exercises, and having those bonus points would have been a nice cushion. Definitely identified some weak points to study up on while taking the exam, but I can’t say enough what a great feeling of satisfaction comes when you see the congratulatory email hit your inbox.

Hope this helps you out on your own attempt, if you’ve got comments or questions, add them below!

Tweet


COMMENTS