The Penultimate Guide to Defeat the OSCP
The Cuttlefish: Most hackiest of all the cephalopods

The Penultimate Guide to Defeat the OSCP

This article is a non-technical resource to help guide you through your OSCP journey. This isn’t the ultimate guide (ultima), but almost the last guide you will need (paenultima) to defeat the OSCP. The last guide before all the others that I will recommend. I am writing this guide for the practical offensive security rookie (really myself in December 2016). I’ve included a plethora of information here, but I’ve tried my best to keep it all relevant towards the goal of passing the OSCP exam. This guide will set you up with a foundation for success and introduce you to a ton of challenging technical work.

Overview:

1. The Pre Lab

2. Beginning the PWK Challenge

3. Knowledge Check

4. A Note On Creating Your Own Buffer Overflow Exploit

5. Final Preparation Before Your Exam

6. Your Plan of Attack for Defeating the OSCP

7. Conclusion and Recommendations for Total Immersion


1. The Pre Lab:

Get yourself set up with a Kali box. Offensive Security has a free ebook called Kali Linux Revealed if you need assistance setting this up and there are plenty of guides out there.

Find a note-taking tool on Kali that you will use throughout your OSCP journey. I suggest Cherry Tree. Use this for each individual machine. For searchable notes, I used Google Docs (Word or any other product will serve this function as well). I had 150 pages of notes to search through by my final exam. Cherry Tree kept things clearly separated and was easy to set up and insert screen captures into. I suggest starting with a standard setup: 

Name the Child Node the IP address / Hostname and within the node:

Hostname, OS Version, Open Ports, Verified Users, Initial Recon Results (later you can add sections like Targeted Scans, Full IP Scan, Service Enum Results, etc.).

Cherry Tree Example

Next hop on OverTheWire and work your way through Bandit and Natas. Get as far as you can on your own and only consult a guide when necessary. OTW is a great introduction to Linux, bash, and web app hacking. This also provides you with the knowledge of how to learn while using Linux (the basics like the man command and so on).

Start developing your own Plan of Attack. Start with the foundational Penetration Testing Framework, but build it out into a step-by-step action plan and make it your own:

  • Recon
  • Scanning / Vuln Assessment
  • Gaining Access
  • Privilege Escalation

Immediately subscribe to CTF master, Ippsec. Ippsec is a Hacker/Youtuber/Hero that goes through step-by-step of how to exploit HackTheBox.eu’s retired CTF machines (He has also designed CTF machines). The first thing you should check out is his video on Tmux this will be a great skill/tool to have in your foundational knowledge. There was nothing more valuable to me throughout my OSCP journey than watching all of his videos and taking detailed annotated notes. Ippsec is thorough and often explains exactly what he is doing and why. His mistakes are not edited out so you end up learning how a pro struggles through problem-solving challenging situations. These notes are especially useful during an engagement, CTF, lab, or the exam. You will be able to quickly search through your digital notes and find useful guidance on how to proceed with a similar machine you may be faced with. One of the most effective training strategies is to hop on the retired box, attempt it yourself (when you have enough confidence) and follow his steps, but this will require you to gain access to Hackthebox.eu. 

Example of Annotated Notes

So, gain access to Hackthebox.eu. You must get yourself an invitation code by hacking into the site. This is another time that you should attempt to gain access yourself and if you are not able to there are plenty of guides out there. Hackthebox is the second most important thing I did in preparation for the exam. I wish I had known about it well before signing up for the PWK (Penetration Testing With Kali Linux). Walkthrough the available retired machines with Ippsec videos. As you gain some skills, apply them to some of the live machines and see how high you can level up! 

Visit Vulnhub.com and download several machines that have guides to them. My personal favorites: GoldenEye1, Mr-Robot, XVWA, DVWA, Stapler, VulnOS2, SickOS1.2, Droopy, FristiLeaks, Lord Of The Root, Brainpan, Sokar, SkyTower, and Kioptrix. Download these images and set them up in VMWare Workstation Player or VirtualBox. There are plenty of guides out there for this as well. Once you have your own hacking lab set up, get to work. Netdiscover your hosts and start exploring with Nmap. Begin by using your search engine abilities.

Remember through every step of your journey to add notes to your repository and continue to build out your own Plan of Attack. 

2. Beginning the PWK Challenge

I suggest purchasing the maximum amount of lab time here. The PWK (Penetration Testing With Kali Linux) is the course that is required to gain access to the exam. Once you make the purchase you (currently) have to wait until lab access is granted before Offensive Security will provide you with the course materials (videos and 375-page workbook). Definitely work through all of the videos and coursework. By completing the coursework and writing up a pentest report for 10 lab machines you get Continuing Education Units towards other certs (whether you pass or fail the OSCP exam) and you also get 5 points of extra credit towards your exam score. 

The course materials, at this point, should help provide some explanation, definition, and detail of the efforts you made prior to signing up for lab time. Find your balance between learning the course materials and spending time in the lab. There are many ways to accomplish the same goal when attempting to hack into a machine. I personally leaned towards the methods used by Ippsec over a decent amount of what was taught. The course should help to provide you with a better understanding of the tools you’ll be using and the consequences of certain actions in an engagement. This will help you formalize and refine your plan of attack. There's more than one way to crack an egg, choose your favorite.

As you gain more knowledge, especially of exploits, I suggest creating a Google Sheet or an Excel sheet to keep track of exploits that have been successful for you in the past. I set up the columns: Exploit (linked to the actual exploit), How to Compile, OS Versions Affected, Notes. This gave me a great reference to use as I learned came across certain vulnerable OS or other software.

Sample of my exploit notes

Knock the course materials out as efficiently as you can and dig into the lab. I suggest timing yourself and keeping notes regarding the amount of time you spend in the lab. I’ve heard that 80-100 hours of lab time is recommended. Over the course of my journey, I spent over 200 hours in the lab and many in the HackTheBox.eu lab. I won’t share specifics about the PWK lab, but a challenge you will face is how much time to invest into a single machine. The forums will assure you that there are certain machines that require you to have exploited other machines, so you will not be able to gain access no matter how hard you try until you’ve taken on a companion box. With this being said I would suggest setting a certain amount of time 3-5 hours and move on to a different target. I would use a similar rule with looking for assistance in the forums, give yourself 3-5 hours on a machine before looking for peer assistance. The reason is that there will not be a forum to consult for the exam and you do not want to rely on this crutch. While starting in the lab, take on the low hanging fruit that you find with Nmap NSE scripts or vulnerability scanning. Nail down the base requirement for the extra credit points, so that you can more freely pursue other machines without the added pressure.

Your primary development goal should be to experience the wall that arrives from not being able to solve a problem and to persevere until breaking through that wall. You won’t learn too much from the quick machines that you do a quick Metasploit search on and successfully break into. You will learn a ton from the frustrating challenging machines, the systems that make you feel like there is no possible answer. The challenging machines that you enumerate and exploit by hand and find the small details you may have missed that led to your success. These are the machines that you should be sure to document your process so that the experience will continue to provide you with value moving forward. 

3. Knowledge Check

At this point, you should have a familiarity with quite a bit of information. Here are the most important things you should have some confidence with by now:

Basics: how to navigate over a terminal on Windows and Linux, word lists like rockyou.txt, how to read linux permissions, how to read windows permissions, path traversal information gathering, sql injection, how to perform shellshock, how to abuse Sudo, LFI+RFI attacks, authentication bypass, and how to escape a restricted shell.

Tools: nmap, ncat, tmux, SSH, sparta, gobuster, burp suite, nikto, hydra, enum4linux, rpcclient, snmpwalk, icacls, dotdotpwn, searchsploit, ftp (in general, smtp (in general), linenum.sh, linux exploit suggester, msfvenom, wireshark, and sherlock.ps1.

Sites: OSCP Exam Guide, PentestMonkey, Hash Cracking Sites, Privilege Escalation, Practical OSCP Tips/Tricks, Exploit-DB, Low Priv Enum Linux (g0tmi1k), Default Credentials (open-sez.me), RTFM online, 0daysecurity master enumeration, how to use vi (for the brave), GTFO bins (love these), LOL Bins, and Abatchy’s Awesome OSCP Guide (my personal favorite OSCP guide). I’m sure there are many more to add to this, but this is a decent start. 

Special note: It wasn’t entirely clear how much scripting/programming knowledge I would need to successfully pass the OSCP exam. I really claim to have little to no scripting/programming knowledge, but I do know enough to be able to dissect how an exploit functions and be able to manipulate it to serve my own function. These are the questions you need to affirm: Can you understand enough to manipulate the exploit, in whichever language, enough to do what you need it to do? Are you comfortable with reading the comments on how to use/alter the exploit? Do you know enough to write your own buffer overflow exploit?

No alt text provided for this image

I believe the course materials and studying the Ippsec videos should be more than a sufficient amount of scripting/programming knowledge for you to pass, however, you may need a bit more information to succeed at creating your own buffer overflow exploit.

4. A Note On Creating Your Own Buffer Overflow Exploit

Make sure to complete the course materials regarding creating a windows and Linux buffer overflow exploit. Then run through the Corelan Buffer Overflow Exploit Part 1 (no need to go beyond 1). My final suggestion to find success in creating your own buffer overflow exploit is to annotate Buffer Overflow Guide by Stefan Molls (the audio isn’t the best, but his use of Mona for bad character discovery is excellent). In the end, I would suggest compiling this all together into your own step-by-step guide. By doing this I had my Buffer Overflow Exploit creation go from a painful 8+ hours to consistently successful in about 45 minutes. 

5. Final Preparation Before Your Exam

After my first set of lab time ended I did not have the confidence to attempt the exam (this was after 90 days of the lab, taking a ton of notes, and studying the course material back and forth). I regret not signing up for it. It is included in the price of your lab time, so you really might as well. Don’t be like me on my first chance and don’t be afraid to fail. I eventually embraced failing by failing forward and failing fast. In the end, you really do learn the most from failing. Even if you don’t think you will get a single point, you should attempt the exam just so you can experience it and sign up for the next attempt as soon as you can.

Motivational Ice Fisher Saying Never Give Up

6. Your Plan of Attack for Defeating the OSCP

Finalize your Plan of Attack for the exam, this is essential when you have the pressure of the exam and many ideas flying through your mind. In your Plan of Attack: Add checkboxes based on your priorities, create time restrictions, schedule regular breaks, schedule meals, and schedule sleep.

My Scoreboard and more

What do you need in order to logistically manage your sanity? Schedule in breaks, eating, your morning/afternoon/late-night coffee, allow your subconscious some elbow room and don't forget the occasional sleep! Create a scoreboard so that you can easily keep track of your current status (I spent a lot of time in my early attempts worried about how many possible points I had and how I would earn the remaining points). A scoreboard gives you that quick confirmation of the status of your points and you can measure that against your remaining time. 

7. Conclusion and Recommendations for Total Immersion

One of the best aspects of my journey through the PWK (beyond the practical penetration testing skills) is that it helped me improve several characteristics: perseverance, problem-solving, creative thinking, thinking under pressure, attention to detail, time management, and humility. I hope the information provided here helps you grow as a person and improve as a cybersecurity professional.

No alt text provided for this image

I believe I have provided a sufficient amount of information to pass at this point, but there are some out there like myself that want more data for total immersion.

Other Guides: File Transfer Guide, SQL Auth Bypass, SQL Injection Cheat Sheet, Metasploit Basics, LFI Cheat Sheet, Cold Fusion Cheat Sheet, All The Things Payloads, Ultimate Windows Priv Esc Methods, NFS Attacks, Michael LaSalvia: Path to the OSCP, Rumkin Cyphers, All the Exploit Papers, and OSCP Practical Tips.

Movie: Zero Days

TV: Mr. Robot (pause during scenes with a terminal and understand what is going on)

Books (Practical): Penetration Tester’s Open Source Toolkit, Penetration Testing (Weidman), Hacking: The Art of Exploitation, The Hacker Playbook 2, The Hacker Playbook 3, The Web Application Hacker’s Handbook, Violent Python, The Shellcoder’s Handbook, and Advanced Penetration Testing.

Audio Books: Deep Work, The Art of Invisibility, Grit, Spam Nation, Red Team: How to think like the enemy, Ghost in the Wires, The Girl With the Dragon Tattoo, and Mastery.

Community (This was discovered after obtaining the OSCP): Cybrary has an awesome friendly community dedicated to penetration testing and the OSCP. I’m now a Career Mentor at Cybrary and can tell you that the community is warm, welcoming, and active. You can gain access to by signing up for Cybrary Insider Pro. If you made it this far get a 50% discount by using the coupon: CBALL50. You deserve it!

Doug Rime

AWS Cloud Security | Cybersecurity Consultant

4 年

This is amazing. Kudos to you for writing it down. Makes it easier (and provides hope) to those who feel like they're flying blind. Gracias!

Sabarish V.S

M.Tech Cybersecurity | Amrita Vishwa Vidyapeetham

5 年

Very useful.

回复
Omayr Zanata

Head of Technology | Leader | Engineer | Bug Hunter

5 年

Thanks for the guide, very helpful.

Really nice article!! Tks a lot! Till the end of the year I will take it!! Congratz man!

Samdup Choephel (He/Him)

M.S. in Cybersecurity at Georgia Institute of Technology

5 年

Thank you very much for sharing your knowledge and experience :)

要查看或添加评论,请登录

Corey J. Ball的更多文章

社区洞察

其他会员也浏览了