OSCP-JOURNAL
Background:
I am 18 years old and have completed eJPT. I have done the following training for ethical hacking:
- Practical Ethical Hacking(PEH) by TCM-SEC
- Penetration Testing Student(PTS) by INE.
I will segment this blog into 7(major) parts:
- Pre-PEN200
- During PEN200
- Post-PEN-200
- Pre-OSCP
- OSCP Attempt 1 and After thought
- OSCP Attempt 2
- After Thought
I have went through a lot of OSCP journeys and wanted to make one in perspective of someone with very less background in hacking and as comprehensive as possible(without violation the rules obviously).
PRE-PEN-200
So I will start PWK (for PEN-200) in two weeks. I have covered a lot of HTB and Vulnhub and proving grounds stuff.
Green are the ones I have completed without any hints or write-ups.
Turquoise are the ones which needed a hint.
Purple are the ones which I did not complete/write-up was needed mid-way.
Red/Yellow/Dark Blue are untouched boxes.
Black are the ones which did not work for me.
Blue ones are the ones which i really really liked
Grey are also untouched boxes.
So TJNull’s list has very unique machines and even though I covered so many machines, I would still find new/unique vectors.
I completed Vulnhub machines first, then Proving Grounds followed by HackTheBox. Almost one month each. I took hints and write up comparatively faster in HackTheBox since I was on the last leg of my preparation.
I had finished high-school and college had not started yet, so I was spending all day on vulnhub machines for a solid month starting with 2 machines a day and going upto 4(some times) obviously with break-days.
Proving Grounds was a very unique and important experience, it has no community writeup and very limited hints(it has a threshold you can’t cross), thus making you grind hard to pop a shell. The windows machines were specially very gruesome not gonna lie.
For HackTheBox, I have just one advice. Dont sweat it tooooooooo much. Like grind for 1–2 hours, but if you are not getting anywhere, look for a hint on discord or go for the writeup.
One major advice is to go through atleast 3 community writeups of *EACH* machine you do anywhere(except Proving grounds cuz there aren’t any) and look for different vectors which someone may have used and document them.
I also did some machines from TryHackMe’s offensive security path specially the buffer overflow ones since that was a bit confusing for me at first.
My personal Opinion is that vulnhub and hackthebox machines have a lot more unrelated stuff and proving grounds has a very good level of difficulty which is not impossible to do without writeups. Hackthebox and vulnhub however are a bit off on a tangent in some places.
Planning to do one-month PEN-200 in two weeks and get OSCP finished by 1st week of December.
Wish me luck.
Will update on my progress in 2–3 weeks
One-day to go to start PEN-200
So I have been doing some medium/hard machines on tryhackme and as always, finding yet more unique attack vectors. PEN-200 starts in approximately 7 hours and I want to do at least one more room before diving into PEN-200 labs.
Btw, I just reached 0xA|WIZARD on tryhackme and I am really happy.
I have offline college classes from Monday to Friday till 3:15PM, but hopefully I will be able to get at least 3–4 hours for PEN-200 labs/material everyday.
A Week into PEN-200
So I started last Sunday and its Saturday, I have done around 20 PWK(At this point I don’t really know if i should call it PEN-200 or the legacy PWK) machines and to be completely honest, I don't have a good impression of them. Most of it is very basic enumeration and privilege escalation which I wouldn't mind for practice and brushing up, which is exactly what I expected, but after a point it becomes straight-up CTF. I mean you get to the stuff through basic enumeration, but exploiting require writing some exploits by yourself which requires a little more amount of research than what is doable for a machine . Obviously that is the whole point of practice, but these machines are not in sync with Proving Grounds Practice. The machines have some clever tricks in some places, so I definitely am not going to stop doing the machines. I feel every new vector is worth it.
I have been maintaining comprehensive notes of this too, but I am currently leaving the depended machines i.e. active directory and all. There is some stuff which makes some machines interdependent and its difficult to keep a track unless you take a bird’s eye view of all the machines.
My two cents, PEN-200 labs are definitely worth it, but they wont be able to make your methodology stronger/faster. I am taking one month lab time, and I think I will be able to wind the stuff I want to do up by then.
I will not be tackling the PDF exercises given by offsec as its way too lengthy and to be honest a little too basic for me to be covering that in the one month lab time I have. I was planning to take the exam in the second week of December right before my birthday so that I could say that I am one of the youngest people in the world to clear OSCP if I actually cracked it, but all slots are gone. I will probably give my first attempt in January.
Will update in a week or two.
Major UPDATE
So Offensive-Security revamped the whole exam. Removed the buffer-overflow machine(rip easy 25 pts) and the easy and hard machines.
The have added an Active Directory Component worth 40 points and boosted the course lab report bonus marks to 10 points. Not here will be 3 medium machine(20 points each). I am not so sure about the Active directory machines, it says 2 machines, 1 domain controller, but it isn't mentioned whether that mean 3 total machines or 2. I have asked discord mods quite a few times, but I have not yet got a straight answer.
I was ignoring the lab report since it was just 5 points and I was confident enough with the previous exam pattern to neglect that. But now, its a pain, but I will be completing the lab report. Some people say its about 500 pages long for some of them, but I don't really care if I get enough time to practice Active Directory on the PWK labs(yes I left those for later).
All in All, the exam has definitely seen major updates and will probably be more relevant, but it will be difficult for me to cover everything up side-by-side with my college going on. Hopefully it doesn't stretch out too much since I only have 20 days of lab access remaining.
Only if offsec had done this a month ago or something, it would be absolutely fabulous for me. I am not scared of Active Directory, but I have not practiced it enough to be confident.
Some Progression.
I have 16 days of PWK left and I dint want to put all of it on completing the lab exercises.
After doing quite a few of them, I realize how good the material is. I heard many people trashing the PWK material, but for me, it had a lot of really good stuff. Not just for OSCP, but in general. No wonder why sharing the pdf is not allowed.
People have been very helpful on Discord. I broke metasploit-framework today and msfvenom was giving me absolutely empty payloads. Vulx and ApexPredator on Discord helped me get through it. It turns out that I was testing it wrong and got a random staged vs stageless payload re-fresher.
I am through about 70% of the lab exercises. I have AV-evasion, Binary exp and Empire left to cover. I also have to finish 10 machine writeups. I am thinking of completing a set of AD machines and including them, just in case I have to re-take the exam and submit a new version.
I have college classes and semester exams coming up in 20 days, really stressed due to that, but proper preparation is on for OSCP.
Post PEN-200 labs
Okay, so I have my semester ending today and semester exams and vivas etc ending around 20th January. I have the exam scheduled for 5th February and feel comfortable with that. I go over my notes every once in a while and go like “Damn that’s a nice vector!”. After doing the AD machines on PEN-200 labs, I feel quite confident and ready to give the exam. There are some things on my mind which do make me a little uncomfortable like the 3 medium 20-pointer machines. They are not really a very comfortable topic for me since I don’t really know what a 20-pointer actually means with this new pattern.
It wont be fair to say that the NetSecFocus Trophy Room has been in vain since it had a lot of really amazing vectors not only for general/independent machines but also for Active Directory Initial vectors and privilege escalation.
I did have a talk with the discord mods and creators on the official Offensive Security server and they made it seem like the AD is replacing the BoF machine in terms of difficulty. They obviously did not say that out loud, but they were quite adamant about the PEN-200 material being enough. The material is not tough, its quite basic. It touches a lot of domains but its quite elementary. Basically dependent on Initial enumeration which well…. Is always the case with offsec as per the people who I asked for advice on the exam.
Pre-OSCP
Okay, so my semester exams are over, now I’m looking at around 2 weeks of pure penetration testing. I also got COVID :( , but that is just giving me an excuse to sit and home and grind.
I am really out of sync since I did not practice during my semester exams period. They really were not worth it though.
Anyhow, Im looking at doing some Windows boxes from tryhackme , maybe even pick one from HackTheBox if I feel a little too confident. I talked to many people who attempted/passed the new format. All they have to say is either along the lines of “PEN-200 labs were too easy, the exam was very very difficult”, or “Everything you need for the Active Directory is in the PDF.”.
I won’t say I am absolutely comfortable with the Active directory , but I feel pivoting(rather hopping) on the AD is more or less about Pass The Hash or the Golden Ticket attack. Obviously the classic approaches with new credentials is the most important thing to do, but atleast the labs in the course were based on pth-winexe or golden ticket attack via mimikatz.
I recently came across some really interesting attacks like PrintNightmare and ZeroLogon, I wonder if I’m gonna encounter a situation where i would need to use those.
Due to my semester exams I totally missed the log4j vulnerability, I think I might give John Hammond’s room on TryHackMe a spin in some free time.
Okay, so the next time I write, it’s probably gonna be either one day before OSCP or OSCP attempt 1.
So, see you then.
12:30 Hours left
I did not feel any anxiety up till now, but oof this is so nerve-wrecking.
Its not like I am very under confident or anything. Its just that this is what I have been working for like the last 7–8 months. I am nervous that something is gonna go wrong. Ensured the electricity and WiFi are as non-interruptible as possible but there is this nagging feeling heh.
Don’t know how much time its gonna take me to go through with everything that I am able to do, but I will try and make the report as and when I am doing the machines.
Will go for the AD first and then move on to the independent machines unless I am stuck on a client for more than an hour. Gonna time this out properly.
This is exciting ngl. Waited for this weekend for like 3–4 months now.
OSCP Attempt 1
I am absolutely devastated. I am still happy to have done as much as I did, but exam had me bamboozled.
The Active Directory’s initial foothold was one barrier I could not cross. One machine seemed to be broken, but I felt that I could get through.
There was one Bof machine whose privilege escalation was quite impossible for me. I mean I tried all the vectors I knew. and used all the scripts I could. It was just weird. Maybe I missed something very obvious.
One linux machine was pretty slick, a very simple foothold and a privilege escalation which I didnt have to do thanks to a recent direct exploit path.
There were some technical difficulties due to which my exam time was increased by 2.5 hours, but honestly I did not make much progress after the first 12–14 hours.
I started 10:30AM and its 5:30AM right now. I am more than exhausted and have not slept since yesterday 8:30-ish AM. I dont know why I am writing this right now, but ugh, its feels so miserable. working all those months to get stuck on a webapp foothold. It wasn’t the most obvious webapp in my opinion. I tried all sorts of stuff, but the machine just wont budge :( .
I had amazing proctors and people on the live chat. They actually cleared the technical difficulty pretty quick. Overall I am hella disappointed but still looking forward to the next attempt.
I hope I can give the next attempt before march since after that the lab report will need the proper documentation of the AD targets which I dont really have and I dont want to buy more lab time now.
Anyways, I gotta sleep.
OSCP Attempt 2
So, I have been awfully busy these few days so couldn’t really talk about what I was doing to prepare for my second attempt.
College semester had started, professors handing out assignments and all.
In short, I did absolutely nothing to prepare for my second attempt. I made a machine for Offensive Security in their user-generated-content section, but that is yet to be followed up on.
I wasn’t scared of OSCP in the second try, but since I got the exact same AD set as the last time, I got disheartened and all. I was actually giving up on the exam in the first 2 hours. Now a little bit of context, my exam started at 11:30 PM. Which I now feel was a good thing since I could get some sleep early on and grind rest of the time.
So I woke up around 6:30 after trying a few things till 2AM and I don’t know why, but I was pumped. I jumped on a random Independent target and pwned it in like 1.5 hours(screenshots and all).
I got some boost due to that and tackled the AD environment. Now I dont know how, and I dont wanna sound cliched and say “I tried Harder”, but I actually did and got through the foothold. I fooled around a bit and wasted a lot of time trying to crack a hash which wasn’t meant to be cracked. I wasted like half a day on this. Anyhow, I got through the AD environment. It wasnt hard at all. I feel I could have done it within 2 hours if I maintained my thought process on one track. During the exam, my mind went different directions, trying to think about 3 vectors all at once.
Any how, after that, the independent machines were hardly touched by me. They just didnt budge. So I had 60 points from machines and 10 from my lab report.
Basically I would’ve passed, but I still wanted to get that one more independent target.
Anyhow, I wasnt able to and I finished my exam around 10:45. This was on Sunday.
Fast forward to Tuesday, I came back home after watching “The Batman” with my friends and was going to write a mail to my professor and I saw this email on my student email id.
It said congratulations and all and I lowkey started jumping lmao. My happiness had no bounds and I had successfully completed the OSCP certification.
I will add some after thought and tips about the OSCP in a few days. But if you really want to go for OSCP, dont think too much, go for it, or atleast start preparing.
Byeeeee.
Afterthought on OSCP
Okay, so I think this certification is not easy, but the recent changes may have made it easier to breakthrough a little(personal opinion). The AD was practically an easier version of the ones in the PWK labs. But the Independant targets are surely something to prepare for.
There are so many things in the exam which you can do only from instinct. TJNull’s checklist is still very relevant and actually very handy if you make proper notes for those machines. The foothold on the AD particularly wasnt conventional. It wasn’t anything out of the list as far as I know, but getting through it wasnt very difficult once you got the initial hit on the webapp.
Other people also had similar experience with the AD. I think some other sets had very easy footholds and the whole AD process, but this one was the reason a lot of people dipped( including me). So all you prepare for in the months you do HTB, THM and Vulnhub etc, you are preparing for the initial breakthroughs. Tiberius’s rooms on TryHackMe on privilege escalation were like what the exam was based on haha. Do those and privilege escalation wont be an issue in Windows. Linux on the other hand is a different issue, too much custom techniques are there its all about practice.
All in all, I learnt quite a lot from the whole PWK course and think that it is good to make your mind race in those 24 hours, or a pentest in general(say a room on tryhackme). But I dont have any experience in the industry, so its just speculation.
I can’t expose anything about the exam and its really difficult to help one without doing that haha I read oscp journeys too. But I don’t think OSCP is the hardest thing in the world for a green(new) hacker. I still consider myself very new to the whole field since I see TCM and John Hammond going on about stuff that’s not instinctive to me at all. There is so much things and tools to know about, its a long process.
My personal opinion is that OSCP is a long process. You can’t pop in the PWK course and crack it by just reading their material. Don’t get me wrong, Their material is superb, but its not enough to give you the instincts of a hacker. Their labs are a little buggy, but still they are very very worth doing. But background with HackTheBox and Vulnhub or TryHackMe is something that will set you up on a pedestal which will let you have a broader view of the whole process of hacking a box. PWK is then just an accessory to your methodology, which is what its meant for I think.
Long Story short, I completed OSCP at 19, it wasn’t the most flawless attempt but I have literally no background in this field. In less than one year’s time, I got through with it and have a comfortable stand while conducting a pentest.
My next steps
So After this, I think it will be decent to attempt to go for the PNPT by TCM-SEC or eCPPT. But rushing through with them wont do me much good I feel. Even if I pass. I want to do some bug-bounties and get like, an internship at some place to broaden my horizon and get some idea of the actual industry.
I have been a part of bugcrowd for a long time, but I don’t have any(literally) progress on any bug-bounty yet. I tried some stuff a while ago, but nothing conclusive.
I might even start doing youtube(should I?).
Thanks
Thanks to my family for being so supportive and thanks to you for following along. Have a good one.
This marks the end of my OSCP-Journal.
All the best.
