OSCP Journey

It starts with a "what if? What if I could achieve it?".

According to many, OSCP is one of the hardest out there.

No Metasploit, No automatic tools. Just plain old manual enumeration and exploitation.

I think this OSCP journey has been a really great. I have have learnt so much from my failures, as I have re-took the exam multiple times.

Looking back almost a year ago where I passed the CEHv9 exam, I have gained so much knowledge and hands on experience in what we call the "Cybersecurity Industry".

CTFs are like playgrounds right now, especially CTFTime, VulnHub and HTB.

It took me all the way to the 4th try to get that email which contains "congratulations..".

Quick summary of the 5 machines:

Rooted:
25 points - Buffer overflow (standard procedure)
10 points - PHP Code Execution
20 points - Vulnerable web application leading to RCE into a low privilege shell, priviledge escalation achieved through outdated vulnerable Linux kernel.
25 points - Vulnerable implementation of a python web application leading to RCE into a low privilege shell, privilege escalation achieved through vulnerable sudo.

Got a local low privilege account on the final machine through multiple vulnerabilities. SQLi, leading to authentication to a misconfigured FTP, subsequently gaining remote access to accounts through password attack from the misconfigured FTP service.

TL;DR

I'll share the 5 must have before taking an OSCP.

  1. Windows, Linux and Network infrastructure knowledge
  2. How web application works, the components, and the types of attacks
  3. Enumeration techniques
  4. Occasional password attack (knowing your systems well, at point number 1)
  5. Patience, and lots of coffee.

1) Windows, Linux and Network infrastructure knowledge

I started off as an infrastructure student back at polytechnic, where I gained built my foundation on using the linux terminal and windows active directory environment. It was second nature to me, to use the terminal to interact with a UNIX base system. But after taking the OSCP exam, I realize how little I know about the internals of Windows. So to be prepared for OSCP, is to also the fundalmentals of Windows, Linux and Networking infrastructure knowledge at your fingertips

2) How web application works, the components, and the types of attacks

SPOILER ALERT. Since most of the attack vectors in OSCP/PWK were web vectors, it is important to understand how web applications communicate and process information. From using Burp to intercept a message and modify it, to manual SQL injection or command injection attacks, these are some of the vulnerabilities that OSCP/PWK tend to have on their machines. (You know some attack vectors right?) So know the difference between a GET or POST parameter would also be useful, as you would have a better gauge on how the web application communicates. This habit is also being brought forward to the REAL WORLD. Certain contracted work which I have done as a freelance inherited certain skills or lessons which I have picked up during the PWK/OSCP sessions. Or, just play more CTFs!

3) Enumeration techniques

Probably the MOST important skill needed in the OSCP exam. If you can't see it, you won't see it! Nmap, Unicornscan, Dirb, Gobuster, Nikto, and any other scanning tools will not be sufficient. It also requires one important factor, "Curiousity". Enuemration can't be taught, but self taught. Think about the day which you have to learn something new, and only you can teach yourself. That is the feeling which I had. No matter how many articles I read or reviews, it all boils down to this: "Which way of enumeration are you most comfortable with?". Well, to sum it up, enumeration is matter of getting as much information as possible for your next phase which is either gaining a shell, or popping a root/administrator shell. :)

4) Occasional password attack (knowing your systems well, at point number 1)

Yes, occasional password attack. Seems like an outdated thing? PWK/OSCP has it! In fact, if a developer does not have good practices, you might land yourself on a password cracking scenario! Well, in PWK/OSCP, you will learn how to crack passwords such as Linux passwords, or Windows passwords. Of course, you will learn the mitigations as well! But I personally think that this is an important factor because, it could make your life WAY easier, if you could just "remote in" the machine right? Why bother kicking the front door when you have the key?

5) Patience, and lots of coffee.

Lastly, patience. TONS. OF. IT. I must say, the countless times which I have been restless in the first two attempts when I am not getting anything. Being composed and having the patience to look for "something new" in the systems is VERY important. In fact, it is like trying to guess 'what could have the user had done, which I might be able to exploit?'. This is significant, as it makes or break your exam!

Probably CPSA to get my CRT next? Or hop into EC-Council's LPT? I'll ask myself that 'What if?' question again soon.

Thats all!

Here are my favourite resources for sharing!!

Priv-Escalation readings:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
http://www.fuzzysecurity.com/tutorials/16.html
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Cheatsheets:
https://www.stationx.net/nmap-cheat-sheet/
https://hackercool.com/2016/07/smb-enumeration-with-kali-linux-enum4linuxacccheck-smbmap/
https://blog.cloudflare.com/inside-shellshock/
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/os-cmd-execution