OSCP Review - Proctored Version

About Me:

I am motivated IT professional with 14 years of experience in the IT industry. During the initial days of my career I worked as a programmer. After some time I got interested into Systems Administration and started working as a systems engineer. Later in my career I  took a job at a small size company where I discovered that the servers were compromised and I started investigating and making plans to lock them out. Looking at files left by the hackers and some pointers I learned a lot but also had some stuffs that I knew were malicious but not sure what those code actually did. I think I blocked them out after 3 months of planning and cleaning up. This got me started thinking, I should probably get into Information Security and my Journey to Info Sec started !

Transition:

I started my Masters degree in Information Security and Assurance. Certified Ethical Hacker, GIAC ISO 27000 and Computer Hacking Forensic Investigator certifications were part of the degree. I was able to pass these certifications with a breeze. I did attempt these certifications every other week and in three weeks, I earned these certifications.

Not Enough…. I heard a lot of buzz around CISSP and decided to get my CISSP. Not too bad I did research for about a week, took the date and in about 15/20 days I got my CISSP.

Not Enough yet….plus I needed 40 CPEs to maintain my CISSP, I thought I need to get another cert that may have some value and also gain 40 CPEs. I came across CISM, a different perspective to CISSP, I took a bootcamp at work , took the earliest available date and I got my CISM, probably about a month because of the wait.

Hmm…I had decided  I am done with Certifications.

Well, I was wrong. I came across a colleague at work who was motivated and his goal was to get OSCP. Hmm, I need to take a look at this certification. Did some research and ………..Dang ! I need to get this cert. Seems like a challenge and not just another cert.

That is when I decided to get my OSCP. I started my research and started working on some Vulnhub boxes. After doing about 15 boxes, that wasn’t enough, I needed more………….I looked at the cost for OSCP – $800 for a month’s lab. Did some research and most people recommended 3 months lab access and I didn’t have a pentesting background.

After couple days of I should and I shouldn’t I pressed that button and purchased 3 months lab access for $1150 . Now I had to spent those hard to wait two weeks before my lab begun.

After two weeks of desperate wait, I finally got that email  with a link to download the lab materials – Training Video, Training Guide PDF, Kali VM and VPN Credentials, yay !

There are 54 unique vulnerable servers in the lab and my goal was to get them all !

The Start:

I wanted to jump into the lab and start attacking, but I controlled my urge to do so and watched the 8 hour video. After finishing the video once, I started watching the video again, but this time along with the PDF guide. I started taking notes and also doing straightforward labs and documenting for my lab report. Doing the lab report has it’s perks. You get bonus 5 points but that’s not the only perk. You also get prepared for your final report. You can prepare your final report template as well. Trust me you will be glad you did.

Once I was done with the lab video and the pdf, most of my lab exercises were complete, I left the ones that actually needed interaction / attack on the lab boxes for later when I actually start attacking the lab. By the time I was done with the training materials, I had enough notes and a plan to start attacking the lab. I had spent about 45 days during this time.

Which Boxes to start with ?

I scanned the network and gathered the IP addresses and created a page for each IP in my one note. yes I used one note for note taking during both my exam and my exercise.  I started in order from the lowest ip address. Some of the boxes in the lab also have dependencies and there is no way to own them without compromising a dependency first. For any  boxes that I couldn’t find a vector to get in, I left them and moved on to the next IP. Some machines were very easy and some were pretty tough. Some of the boxes even took 4 days of trying harder but finally they gave up 🙂 .

I had about a week of my lab time left when I had compromised all the servers in the public network , admin network, dev network and IT network. I didn’t have a lot of pivoting and tunneling and I wanted to do these networks. Yes when you compromise the lab machines you will encounter machines that can talk to other networks and you have to tunnel / pivot through them. To get to the Admin network you have to double pivot. I enjoyed pivoting and tunneling once I got the hang of it.

Exam Registration:

I registered for my exam and the earliest date I could get that matched my schedule was 28 days out. I registered for the challenge :).  Then I started preparing my lab report and had my final report template ready to go. I started reading reviews, learning different stuffs, watching reviews etc. until couple days from the test. During the last couple days I just reviewed my notes, my lab notes and revisited how I compromised the lab machines so they are fresh in mind, in case something similar showed up in the exam. I also refreshed my buffer overflow skills.

The Exam:

My exam was scheduled  for 3.00 PM. I was waiting every minute for the exam VPN credentials to arrive and finally at 3.00 PM I got my exam credentials.  Dang ! I forgot how to connect the VPN 🙂

After couple minutes of nervousness and anxiety, I connected to the VPN. I reviewed the exam guide, went through the Exam Objectives, and off I started. I was confident enough that I would get the buffer overflow in an hour and by the time my scans would be completed and I would start with the next 25 Point Box.

An hour went by, I ran into some issues. I did everything but just wouldn’t get the reverse shell. I was a little worried. Tried again for the next 30 minutes.. nothing.  Dang.. I was so confident with the Buffer overflow but what was going on….I started watching buffer overflow video on youtube and then I realized that somehow I had removed “\0x00” from my bad characters list 😀 . As soon as I realized that, I knew I had it, I added “\0x00” to the bad characters lits, generated the shellcode, and fired up the script. B00m!, I had my first reverse shell and 25 Points in my pocket. Took me 3 hours 🙂

The Break : 15 minutes.

A little bit of confidence and on to another 25 points box. All I needed was 25 point box and a 20 point box and I would be an OSCP on my first attempt 🙂 . Not so fast Mr ! I  did my enumeration and picked one potential vector.On to that for the next two hours and no progress.

Worried again !

I switch to a 20 points box and thought to myself, this might be a little easier. After  an hour and a half, I was In, got a reverse shell with a low privileged user. Next 45 minutes and I had a full shell. Confidence Booster ! I have 45 points in my pocket now !

Planning time 🙂

I have 45 points and I need at least 20 points that would give me 65 points and 5 points from the report I might pass ! 25 points and I would certainly pass ! 10 points, I would still fail 🙁

So my only option was to get ether the 25 point box or the 20 point, then i could go for 10 point box for extra !

About 8 hours went by. It was 11 pm. I still had time and I just needed that one little clue to get the reverse shell. I switched back and forth between two boxes, enumerated, enumerated again, went into some paths i thought were right for hours and nothing. It was 2.00 AM. I needed to sleep ! I was tired but I wanted to pass.. so i kept trying and finally at 5.00 AM I decided to sleep. Set an alarm for an hour and fifteen minutes. Woke up at 6.15 AM and basically just stared at the screen  for some time. I didn’t have enough sleep, and I wasn’t functioning and panic had kicked in and I mentally failed. I still kept trying and it was 2.45, the exam connection dropped. I failed !  Hmm, hadn’t failed certifications in a while 😀 , but again this wasn’t just another cert. I couldn’t sleep..so i just watched some tv and talked..and felt bad.. I notified that I will not be submitting a report since I didn’t have enough scores, they sent me rescheduling link and I rescheduled for 3 weeks later to match my schedule !

Went back to my notes, screenshots, tried to figure out what could have missed and I think had some ideas that I could try if I encountered those two boxes next time.

Try Harder

Second Attempt:

Basically same thing happened, this time I did the 10 point box too , just for the sake of it 55 points and NADA !

Notified again, Rescheduled for three weeks later :). During the gap I wrote some scripts to automate, watched more walkthroughs, more videos, learned more and practiced on HTB and re-did the vuln hub boxes and I learned using TMUX.  My Script would take ip addresses separated by space and would do the port scan and do the NSE scripts on the ports found and other manual checks that I would do for each port and save the outputs to their own directory under current directory.

Trying is not Enough, Try Harder !

Third Attempt:  (Proctored, Any exam scheduled after Aug 30th are Proctored !)

The exam was scheduled for 9.00 AM. It was a proctored exam  and I had to connect to screen and webcam sharing and do some identity verification  and scan the room with the camera, 15 minutes prior to scheduled exam time. I logged in and verified my ID and started screen sharing. The proctor then released my exam to begin at the scheduled time. At 9.00 AM I got the VPN credentials. Connected my VPN and the final step was for the proctor to gather some information after the VPN connected. After that was done, I was ready to begin.  I minimized the webcam window which had to be connected at all times and the chat window, which I had to use to notify the proctor when taking breaks and after coming back before resuming the exam. I thought it was going to be very inconvenient, but for what it’s worth, it wasn’t as bad as I thought it would be. I just had to let know when I wanted to take break and notify before resuming, sometimes they wanted me to refresh the webcam before resuming and that was it !

This time I was going to attempt the 25 point non buffer overflow box first, because If i can crack that i would probably pass. Well the port scan was slow and it didn’t make sense, so change of plans went back to BO box. Everything went well and in 30 minutes I was ready to generate my shell code. And I encountered an error :

x86/shikata_ga_nai failed with A valid opcode permutation could not be found

Oops ! Didn’t expect this. Tried again and again and no go. I spent about 2 hours  and I thought to myself, I will get the BO anyhow so switch to 25 point box, the scans were completed by this time.

Started the 25 point box, found the entry point, but what I expected should work didn’t. Tried harder but nothing.  At this point I decided to go back to BO.

After some struggle, I took care of the error and got my 25 points. Now I think , 25 + 20+ 20 +10 I could pass. So on to that plan.

Tried the 20 point box for an hour and nothing. I knew the vector and was pretty confident that would be it, but it didn’t work. tried again and again nope !

Switched the box to another 20 points, I was not going to attempt the 10 point box because that wouldn’t help me pass without other higher point boxes.  Spent another hour or so on the 20 point box and nothing.

It was 5.00 PM and still with 25 points. Decided to take a break. Ate some snacks, relaxed for a little bit and  just spent some time in my backyard. Took a little longer break.

Back from the break at about 5.45 PM and in 15/20 minutes I got a reverse shell in one of the 20 point box. I thought to myself, Okay , I have the low priv shell, I can escalate, let me get the foothold on the other box . With low priv on one 20 point box, I moved on to another 20 point box.

After about an hour of trying I  had a low priv shell on another 20 point box. Now I was getting somewhere, thought to myself. Once I had the low priv, took me about 15 minutes to escalate privileges and dang I had 45 points.

Back to the other 20 Points box where I had low privilege. Started my escalation enumeration and worked through my checklists and stuff.. and in about 30 minutes I had Administrative privileges.  Oh boy ! I  had 65 points under my belt now !

Now to the 10 point box !

This one was pretty easy, didn’t require Privilege escalation. I got this box in about 15/20 minutes and I thought to myself, dang I passed !

Took a longer break this time 😀

Back  and tried to get that other 25 points. At this point I was probably so excited that I was going to pass I didn’t try hard enough. About 10.00 PM and I went to bed.

Woke up at 5.00 PM , better sleep than last two times :). I got back to the 25 point box and started trying again. I had stories about people failing the test because of the report and so that was playing in the back of my mind, honestly I couldn’t concentrate too much on that 25 point box. I wanted to get that 25 points, but I was thinking to myself, may be i should do my report while I have the VPN connection.  I started working on my report, making sure I had all screenshots and stuff.  I probably had all the required screenshots but I didn’t want to take any chances, so for anything I felt like should dhave a screenshot, I went back and got my screenshot.

I think it was a good idea to get the report done 🙂 . I had all the steps and screenshots needed for my report and went back to the 25 point box.  I played around for a bit, I new the vector and I knew the way in but my input combination wasn’t getting right. I could have probably gotten that if I needed more points but oh well ! At 7.00 AM I thought to myself, I am done and I notified the proctor that I wanted to end my exam, he asked for confirmation and terminated my VPN.

Took break for a while and got back to report.

Did my report .. did the proof reading, ensured everything was in order and correct. I did this probably 5 times throughout the day 😀 Then finally at 5.45 PM the next day I exported the report to PDF format, followed their submission guideline and created my report archive containing both exam and lab report. I looked into the archive again made sure everything was correct and finally submitted my report.

After some time I got confirmation of my submission and now it was way to hard to wait for the result !

The next day I had to go to a wedding. The email I used for offsec, is hosted on my own mail server and I don’t have it setup on my phone. I also have grey listing enabled on my mail server and so it takes about 15 minutes sometimes for the mails to hit the inbox because of the policy rejection. Hmm… I would like to know as soon as the mail hits the server 😀 . I set up a script that continuously monitored  mail log and texted me if an email came through from offsec’s address.

The Result:

At 8.46 PM  when I was at the wedding, I got that text which just said new mail from offsec. Could have been pass, Could have been failed. I was a little nervous, but I was a little more confident on the passing side. I checked my email and 😀  , I passed !

Took me a total of 5 months of Trying harder and yes I tried harder !