Hey all, I just got the results from my first OSCP exam attempt and I passed!
My thoughts on the exam…
- The difficulty is artificially increased; I encountered at least two different open source projects (with source code available on Github) where the public exploit did not behave as expected
- for an exam task, this punishes the user as they are not aware of what lengths Offensive Security has gone to modify the vulnerability
- The buffer overflow was surprisingly straightforward, they provide you with a poc script so you don’t even have to fuzz for the vulnerable command (do the bufferoverflowprep room on THM)
- find eip offset
- find badchars
- find return address
- generate shellcode
- Not a CTF, although your goal is to root all the machines and get the root flag…
- keep the exam report in mind – you are performing a penetration test of the network and will need to enumerate and perform all tests on everything you find
- In a CTF the path to the end may be more clear – usually the name or theme of the box will be a clue, but in the OSCP, you need to enumerate everything and don’t assume you are on the right path because they add rabbit holes (false clues that lead nowhere) on purpose
- Don’t spend too long on any one machine. It was really important to take good notes and set yourself up so that you can move on to another box without worrying about losing progress on a previous box.
- Enumeration and searchsploit helped find possible vulnerabilities
- Enumeration scripts like lineum.sh, linpeas.sh, linpeas.exe, powerup.ps1
- Online hash cracking/lookup (crackstation so you don’t waste time with dictionary attack or brute force)
- Burp decoder – encode and decode data
- Take screenshots and notes of what you do, will help immensely during the write-up
- Brush up on web application penetration testing, be comfortable intercepting and manipulating HTTP packets, practice various privilege escalation methods, recognize and hone your own pentesting methodology
- payloadsallthethings https://github.com/swisskyrepo/PayloadsAllTheThings
- gtfobins https://gtfobins.github.io/
- pentestmonkey http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- netsec tty shell https://netsec.ws/?p=337
- sushant747 https://sushant747.gitbooks.io/total-oscp-guide/content/
- Windows Privilege Escalation for Beginners https://www.udemy.com/share/102YIMCUIfdllaRXs=/
- Linux Privilege Escalation for Beginners https://www.udemy.com/share/103eNaCUIfdllaRXs=/
The new PWK course includes Active Directory and internal network pentesting methods like pivoting, but the exam has not been updated. Although it was great to learn (and I further applied what was learned in Tryhackme’s Active Directory Throwback Network), not having it show up on the exam was disappointing.
Each machine for the exam was very standalone; I wish they set up an Active Directory network where you would need credentials or information from PWNing previous machines and the end goal was to achieve domain admin. That would be a fun challenge!