OSCP my journey



This will be the first post in my blog, in fact my first article in the web since forever. So, please forgive my English, possible grammatical faults or illogical structure of the text.

A lot of people in the internet share their journey about their OSCP Certification, I did read a lot, while I was practicing and most of them I have enjoyed to read as they help, encourage and increase moral, so, I decided to share mine to help people to get motivated too, also because I want the moment to be registered.


Context: 

It was February 2018, and the only commands I knew from Linux was 'ls', 'cd', and not much more, I was with 9 years experience work in the fenestration software business, which from those, the last 5 years were mostly about sales and other not technical stuff(at least not hacking level technical), 1.5 years of sales in the textile area and had spent from September 2017 to January 2018 programming a structural calculation software. I did have my programming skills on a good level.

In the above mentioned month, I started a master in Cybersecurity, first signatures were about Cyber Intelligence, SIEM software and Secure Development of Software, and while doing this signatures I learned Linux and Kali.

In the beginning of May 2018 I started the signature Ethical Hacking and I was really, really excited about it, this signature was the big reason I had enroll with this master. In April 2018 I started with HackTheBox, thanks to a friend and to the amazing teacher of the signature Secure Software Development.


The Decision:

On May 2018 my plan was to study and obtain the CEH certification during the months of July and August ( pause of the master ), and when I shared this idea with a friend(Alvaro) from the master, he told me about the OSCP, and when he told me about the 24h hours exam and the deeply technical approach of the certification, I instantly felt in love with it, in that exact same moment I changed my mind, it was clearly, by far, a better option than the CEH.
So, after some days, I was subscribed for a 90 days lab package, to start at the same time as the signature Ethical Hacking of my master.

I was unable to combine the study of both, so I lost the first month, because the master signature of Ethical Hacking was more theoretical and the OSCP was more practical.

Advice: Don't jump to the exam like I did, you should practice a lot before start with the lab, I leave you some links here:
If you are an experienced penetration tester, forget the above advice.


The Study:

In the beginning of July 2018 I started to study for the OSCP. In the end I took 20 days for the manual and 40 days for the lab. During those 2 months, July 2018 and August 2018, I have studied around 12 hours a day, and the rest of the day was ~2 hours for my girlfriend, ~2 hours to eat and bath, 8 hours to sleep, sometimes I used to go for a run and study one hour less.


I have managed to exploit 34 of the 44 public machines. I did not exploit the other networks.

Advice:
  • Study hard and focus, try to forget about anything else, you can resume other type of activities after you get the certification
  • Take notes of everything you do. For people like me, without any experience is crucial.
  • Very important to actually do the exercises, whether you make the report or not. One thing is read the exercise question and think you can do it, other thing is actually do it.

Some links with good content to study:

https://sushant747.gitbooks.io/total-oscp-guide/
https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/
http://pwnwiki.io/#!index.md
https://backdoorshell.gitbooks.io/oscp-useful-links/content/backdoorsweb-shells.html
https://highon.coffee/blog/



The EXAM:


Monday, 01/10/2018

The exam started at 9:00, the email was really punctual.

At 9:15 I got a blue screen of death and all the preparations I had done were gone, like connecting VPN, start TMUX, create a different tmux thread for each machine and start nmap scans for all the machines. So i had to start everything again. It was only 15 minutes, but what counts was the stress of the moment, not the best way to start, I can assure.

At 11:10 I had finished the BoF, 25 points secured. I advice to do this machine first, it's free points if you study well.

At 12:00 when I was about to catch the flag for the 10 points machine, the network stopped, and I had to ask for help to the support, after reducing my MTU from 1500 to 750, in units of 50, it finally worked again. (the staff was very fast to answer me, so don't worry if you have problems in the exam, you'll get assistance)

At 12:17 I was getting my 10 points flag. 3 hours, 35 points total, I was felling confident.

At 16:57 from one moment to the other VMware simply shuts down, and I lost all my ongoing work. Well, restart again... Luckily my cherrytree files are on the host computer ( even though I access then from the guest also ) and they save 5 in 5 minutes... (always set cherry tree to save x in x minutes)

At 18:12 while exploiting a web app for vulnerabilities, Firefox stop working, something I never saw before.

At 18:22 I decide to update my Kali, at this point we have to agree, it was the dumbest decision I could had, but Firefox was not working, returning some kind of error about updates. I could not update only Firefox for some other reason I could not explain, so I just shoot for the entire OS and updated Kali. Fortunately, it worked, and after the update Firefox started to work again. (By the way, I was already using a modified version. They say we should use the one they give us without modifications, but I really don't like that... So I had and still have my modified Kali version.)

Around 19:00, I was able to compromise the user of a 20 points machine ( I guess I could count it as 10 points, but have in mind that points are not only the flags, they are the screenshots, they are the report..., so if one does everything plus one flag, I believe that at least half points are earned )

It was 19:30 and I had:
  • 25 points from the BoF, 
  • 10 points from the low points machine,
  • 10 points for user from a 20 points machine.
with a total of 45 points.

Was still left:
  • 10 points for root user from one 20 points machine, 
  • 25 points from a machine,
  • 20 points from another machine.
At 04:00 I was in the same situation as I was at 19:30, 8 hours of nothing..., I was not physcally tired(I have a great stamina when it comes to being doing technical stuff like offensive security), but I was with moral completely down and without hope.
I had:
  • logins for the 20 points machine, but somehow i could not use them ( by the way i might have gain some few points here, i found some vulns and got some data, which I included in the report ), 
  • an idea how to exploit the 25 points machine but it was not working,
  • no idea how to get root in the 20 points machine i was already in.
I had 5 hours left to finish the exam, but I gave up, I turned off my computer and went to bed.

Around 05:00 after sleeping around 1h, I woke up naturally with some ideas in my head, and I returned to the computer. (I wander how would it be with the actual proctored exam)

At 06:00 I was able to exploit the 25 points machine user and root... I was at this point with 25+25+10+10 = 70 Points, but I was not so sure, because 10 of the points I believe I had, was 10 points of getting user in a 20 points machine.
If I had done the lab report, it would be already a victory, but I didn't, so I kept fighting till 8:45 trying to get root in the 20 points machine, there was an exploit working but it was not finishing...

At 8:45 I went to bed.
In the next day I woke up around 12h, started to make the report, finish at night, because I had master classes. Send the report, everything according to the rules.

After 1 day, I have received the news that I had successful passed the exam. It was a very happy moment for me, the culmination of 60 days studying day and night. This is the moment that one feels glorious and victorious...


Last advice:
  • You should prepare yourself to loose the moral during the exam. If you prepare yourself aka just being aware of the possibility, will help you to handle better the frustration.
  • Take notes of everything you do in the exam, better to have more than less.
  • Very important the screenshot of the hash together with the machine IP.
  • Keep calm during the exam, there is time for everything.

Special Thanks to:
- Linna Gao - The girlfriend
- Joao Vaz - The best friend
- Alvaro - Who told me about the OSCP exam

Comentarios

  1. Unknown3 de junio de 2019, 4:11

    Congratulations again!!!

    Your persistence and hard work will always pay back!

    And, I will stay at your side to support you.

    Love you,

    Linna

    ResponderEliminar
  2. Juanca31 de octubre de 2020, 5:14

    Congratulations! :)

    ResponderEliminar

Publicar un comentario

Entradas populares de este blog

Inquisitor - forensics artifacts collector by f4d0

Imagen
Introduction I have developed a forensics artifacts collection tool for Windows OS, which I named Inquisitor and that can be found here: https://github.com/nrrpinto/inquisitor . and can be downloaded directly from here . It is part of my final master thesis in Cybersecurity ( master from Deloitte and IMF ). The purpose of this post is to present the tool to the community. My hope is that the community helps me to improve Inquisitor and that newbies can learn from it. First things first, let's start by the name, why Inquisitor?? Well, this job was developed in Spain, and Spain was one of the countries where inquisition was more severe in the middle ages. Inquisitors were actors that use to inquire in search for "heresis". Inquisitor tool objectives are to inquire the system, identifying "heresies" aka malicious activities and gather enough information to help to eliminate "demons/witches" aka malicious actors/malware presence. Before I start ...
Leer más