MY OSCP Review

OSCP

Hello Guys, Anon Tuttu Venus here, today I will share my OSCP experience. There are tons of OSCP success stories on the internet. I wish to share my experience as well, this post won’t be that BIG!! but I have included what all helped me during prep and during exam.

Like every other Infosec guy, I too had a dream to achieve OSCP, and last Saturday 26th Dec 2020 I have attempted the exam and got the mail from Offensive Security on 28th Dec 2020 saying that I have cleared the exam. It was for sure one of the best things I did in my life so far.

My OSCP Journey officially started on Aug 14, 2020 I have booked 90 days LAB. Each day I spent a minimum of 2 hours after my office work. Learned so many new things during the journey. Before the OSCP, I have done 2 practical exams( eJPT and CEH-Practical). In this write-up, I will be more focusing on the learning path and tips rather than a success story. So without further due let’s begin with a few tips for your training.

Pre-requsites to OSCP

1. Never Give Up Mindset — In my point of view, one of the most important things is a never-give-up mindset. Someday you won’t be able to learn anything, you may not understand what you are watching or what you are reading but come back strongly on the next day.
2. Gather as many as Resources — Google OSCP using google dorks and you will find tons of resources. I have bookmarked many during the journey. You can access my Google Chrome bookmark from here.
3. Note Taking — You should take notes and you should make your own cheatsheets. I have stored my commands in my One Drive. I will be sharing a small part of my quick cheatsheet, you can access it from here. I have made this for a quick reference, you may or may not like the arrangements. I repeat it’s always better to create your OWN. For note-taking, you can use Joplin and it is really amazing tool.
4. TJ Null’s OSCP Like Boxes List → https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159
5. IppSec OSCP PlayList→ https://www.youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf

Exam Day!

The exam was on Dec 26th at 11:30 am IST. Woked Up at 6 am, went to church !!!. Had my breakfast, patiently waited for the exam. At 11:15 am I have joined the proctored session and right away the proctor also joined. I have completed the instruction and started the exam at sharp 11:30 am.

Recon — One of the most important parts.

I have connected my exam VPN and checked the connectivity to the gateway and everything was working as expected. We have a 5 machine to crack 1 BOF and 4 others.

I have added 6 workspaces on my KALI, 6th workspace is dedicated to my VPN connection so that I won’t accidentally close my VPN terminal, and the other 5 for each machine. On my desktop I have created a folder named “EXAM” with 5 subfolders { 1–25-X(BOF), 2–10-X, 3–20-X, 4–20-X, and 5–25-X }, once I got the machine IP, I have replaced the X with the last octet of machine IP’s. On each workspace, I have opened the terminal and change the directory to the respective one.

I started with threader3000 on all 4 machines, Threader3000 is a script written in Python3 that allows multi-threaded port scanning. It will hardly take 30–40 sec for the result. Once I got the result I ran my nmap scan, I usually use this,

nmap -sV -sC -A -p80,22(output of threader300) -T4 -oN nmapFULL 10.10.10.10
where,
-sV   → Service enumeration, 
-sC   → Default Scripts
-A    → All Enumeration
-p    → specific the opened ports
-oN   → output in nmap format

Along with the nmap I have used Autorecon by splitting each terminal. Once all 4 machines nmap and autorecon started I have started doing my BOF machine. After BOF is completed all your scans will be over and then you can decide which one to start with next.

BOF(25) → 10 →20 →20 →25 this was my order.

Don’t Blindly Trust Your Tools!!

Nmap will show fancy output, common ports details will be highlighted with version and you may find out easy exploit as well with those versions, but remember it won’t be that easy. Always check out the uncommon port. Ex, if you found an uncommon port just google it, don’t stop there. Create a simple TCP connection using “nc”. If you get any output again google it.

nc -nv 192.168.x.x 1787

The same thing is applicable to winPEAS and linPEAS, both are simply awesome tools, but they may miss important stuff as well.

Some Tips and Tricks

• Always have an eye on port listening on localhost while doing Priv Esc.
• Always try to use common ports for getting a reverse shell{53,443,445,139}
• Take screenshots as much as you can.
• Don’t get burned out. Take shorts breaks. I have even taken a bath in between!! :P
• Once you root the machine or moved it to the next box after getting the user flag, DON’T close the terminal. Use another workspace to attack the next box, I found this very useful.
• There are rabbit holes made just for you to get stuck. Don’t cling yourself to one path.

Recommended Udemy Course !!!

• https://www.udemy.com/course/windows-privilege-escalation-for-beginners/ ( Windows ) — Heath
• https://www.udemy.com/course/linux-privilege-escalation-for-beginners/ (Linux) — Heath
• https://www.udemy.com/course/windows-privilege-escalation (Windows) — Tib3rius
• https://www.udemy.com/course/linux-privilege-escalation (Linux) — Tib3rius

Heath course are of 7.5 hours , this contain a deatils explaination, most of the Privilege Escaltions are course with a example HTB/THM machine.

Tib3rius course are of 1.5 hours and contain the exact Privilege Escalation content. Watched both the videos 1 day before my exam.

I think I will stop this writeup here, I will be posting more about OSCP on my Github and Linkedin.

I’m planning to make a BOF video + Complete report writing of BOF and a random box[ The way I wrote my official exam report ].

Links:

OSCP Verify Link: https://www.youracclaim.com/badges/e7139447-2ef8-47fd-9500-37b6831e5518

Github: https://github.com/anontuttuvenus

Linkedin: https://www.linkedin.com/in/anontuttuvenus/