Hacking the OSCP: If at first you don’t succeed…
Well, it happened - In late June I sat for my first attempt at the Offensive Security Certified Professional (OSCP) exam and failed. Failing the first attempt with the OSCP is pretty common - and I was already going into it with the mindset that the first attempt was for practice. I needed to get a feel for the pacing of the exam, and to figure out what additional things I needed to focus on in the lab. As I like to say - you win, or you learn.
… and then I took the exam again a month later - and this time, I passed . This post is about how I turned things around in just 30 days in order to become an Offensive Security Certified Professional, and it all starts with having a really solid playlist to listen to while hacking. And with that queued up - let’s do this!
Anticipate Rabbit Holes
One of the ways the Offensive Security team raises the level of difficulty on the exam is to throw in a lot of avenues for students to attack. It’s important to quickly discern what represents a real opportunity to gain a foothold on the target system, and what things have been thrown in to waste your time. There are a few questions you can ask yourself when enumerating a system with a lot of open ports:
- Have I tried the really simple things like
anonymous
FTP on port21
, ortelnet
on seemingly random ports that my recon process found? - Are my automated tools throwing a lot of (probably false) positives at me? If so, have I taken a few minutes to look at things manually and rule it out?
- Have I tried adding the target IP to my
/etc/hosts
file with the computer name? Have I browsed to HTTP and HTTPS versions of the site on those other HTTP ports? - (For web apps) Have I tried Local and Remote file inclusion? What about SMB share syntax on Windows machines (e.g.
\\ip-address\sharename\filename
? Have I setup Responder with the following (exam-allowed) syntax to exercise the app in this way:sudo responder -I tun0 -v -A
- Are there known vulnerabilities for the software running on specific ports (such as Remote / WiFi Mouse, which usually runs on ports
8099
and/or9099
)? Have I looked throughsearchsploit
to see if anything sticks out as remotely exploitable?
Usually by the time you’ve ran through such questions, you’ll probably have found a path forward. Know that on the OSCP open attack paths are not a mistake - so if your gut is telling you that some particular foothold is the path forward, then follow it until the end.
And most importantly - if you hit a wall and nothing you’re doing is working, then either you’ve chased the rabbit hole to the end, or you need to take a break / pivot and come back to it later. So long as you have taken good notes on what you’ve tried so far, and what you might like to try when you get back to it, then it’s okay to move on and come back to the target later on.
Practice Windows Privilege Escalation and Lateral Movement
In the coming weeks I’ll be publishing a blog post (or possibly two) on the specific things I look for when attacking a Windows machine - but the most important things to remember is that at least 50% of your targets on the OSCP exam are going to be Windows machines. Gaining Administrator on the Domain Controller system is required to pass the exam. Spending lots of time getting comfortable with Windows systems - especially when you’re stressed and facing time constraints during the exam - is going to be worth it.
To help you get a leg-up on the process of obtaining nt authority\system
privileges, I recommend taking a good look at Windows Privilege Escalation Awesome Scripts, as well as Guifre Ruiz’s Windows Escalation of Privilege notes. Being able to recognize Unquoted Path, insecure backups, and DLL Hijacking opportunities at-a-glance are going to make the process of hacking Windows systems that much easier.
Then, when it comes to lateral movement, knowing exactly which Mimikatz commands to run and having those ready to copy-and-paste from your notes will save you a ton of time. You’ll then need to know how to make use of those credential hashes - whether by cracking them with Hashcat, or using Pass-the-Hash / Ticket techniques with tools like impacket-psexec
, evil-winrm
, or xfreerdp
. If you’ve done your recon, it should be pretty obvious which tools and techniques you’ll need to use when moving laterally into the next Domain machine.
This content was written by a human being; If you find it useful, enjoyable, or influential (and have the coin to spare) - you can support my work via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that organic content you were enjoying! 🎉
Pace Yourself
The time constraints on the exam are there to add a certain amount of stress - which is intended to test how well you actually know what you’re doing. On my first attempt it took something like 3.5 hours for me to gain nt authority\system
privileges on the exposed Active Directory machine. On my second attempt, it took me 2.5 hours to achieve the same outcome. After that it took me another 5 hours of hands-on-keyboard effort to gain nt authority\system
access on the 2nd machine. Four of those five hours were spent running into a wall before I stopped for the night and got some sleep.
You see, every night after having dinner with my wife and watching a T.V. show, I would go back upstairs to practice in the PEN-200 labs around 7:00 p.m. - I had built up a habit of thinking about hacking for at least a couple of hours before going to bed. Having this regular routine made my first exam attempt feel a little more familiar - and made my second attempt feel natural.
Getting four hours of sleep that night, taking a refreshing shower in the morning, and having a relaxed breakfast afterward helped set the pace for the rest of the exam. It took me less than an hour after getting back to the keyboard to gain Administrator on both that machine from the night before, as well as the Domain Controller. At that point I had 12 hours left on the exam and 40 points accumulated toward my final score.
The lesson here is that it’s super important to take breaks, get some sleep, and eat properly. But more than that - having a routine that you follow leading up to the exam will help you identify the best time for you to schedule your exam attempt; for me that was 7 p.m. Eastern time.
Set Goals and be willing to Pivot
Every time I completed a “goal” (gaining Local or Administrator access), I would stop to make sure I had all of the commands written down and screenshots I needed for evidence, and then kick-off my automated tools for Privilege Escalation and/or Lateral Movement. While these were running, I would take a 10-15 minute break to go to the bathroom, grab a snack, fill my water bottle, and share news on my progress with my wife. Between her encouragement and the chance to step-away and think, I felt modestly rejuvenated and eager to proceed every time I sat back down at my keyboard.
I would likewise take a short break when I hit a wall and needed to reset. This was a good opportunity to reflect on what I had tried so far, and to ask myself whether I should pivot to something else or if I felt like I had enough options in front of me to keep going. Toward the end of the exam I started setting loose targets on what I wanted to accomplish with my remaining time.
Ultimately I ended up spending something like 3 hours on a stand-alone box that I only ever got Local user access on before pivoting back to a stand-alone box that I had initially started early in the day and quickly pivoted away from. When I pivoted back to that original stand-alone box from earlier in the day, it was like my entire mindset had somehow done a backflip - because I quickly gained not only Local user access, but Administrative access shortly after the pivot.
Sometimes, all your brain really needs is a change of perspective for the gears to go into motion. My strategy for approaching the exam was as follows:
- Get Administrator on the Domain Controller
- Get Local user access on at-least two systems
- If it looks like it will be easy to privilege escalate on a box I’ve got Local user access on, then try it. If that doesn’t work out - pivot and come back to it.
This content was written by a human being; If you find it useful, enjoyable, or influential (and have the coin to spare) - you can support my work via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that organic content you were enjoying! 🎉
Start writing your report before the exam ends
Some of the best advice I received prior to taking the exam was to start writing the report before my access to the exam lab ended (thanks Craig!). This helped guarantee that I had all of the screenshots I needed for both Local and Root / Administrator proofs for all of the boxes I had pwned. It also allowed me to make sure the screenshots I had taken accurately reflected the commands and steps I used to obtain access to the machines.
In terms of how I went about writing my report, I used a Notion template shared with me by c0nsid3rate. This made the entire process a LOT easier, and the final document was only 4.1 MB in size after adding 47 screenshots and writing 55 pages of documentation.
Working from a template will prompt you for things you need to include on the report in order to pass the exam - so don’t skip the process of looking over the official Offensive Security report template examples before you start writing your report.
Practice, Practice, Practice
By the time I stepped into my second exam attempt, I had already gained root / administrator privileges on forty of the PEN-200-2022 lab machines, eighteen of the PEN-200-2023 lab machines, and completed 94% of the chapter exercises. In the process I had earned 10 bonus points for the exam, and built a wealth of experience along with a mountain of notes to show for it. Those 10 bonus points make a huge difference come exam day - because it means you only need the Active Directory set and two Local user shells on the stand-alone boxes to earn enough points to pass the exam.
And as I said in my very-first blog post in this series: practice is the difference between wanting to be a 1337 H4x0r, and actually becoming one. The only way you’ll really know what to look for, what steps to take, and what attack vectors to pursue is by putting in the work - and that means getting in the lab and practicing every week.
As always, thanks again for stopping by to read my pseudo-random musings 😊 While I draft my next blog post, you can git checkout
other (usually off-topic) content I’m reading over at Instapaper - or go back and read my other OSCP content for additional tips-and-tricks.
Until next time, remember to git commit && stay classy
!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!