An Utsusemi of Keramas

Tales of security research, penetration testing, red teaming, and general hacking shenanigans.

26 July 2018

Trying Harder: The Journey for OSCP

by Keramas




I've been quite inactive with CTFs and writing VM walkthroughs recently--but with good reason! Back in May I decided to take the plunge and register for OSCP.

There are a wealth of blogs with their thoughts on the process already (nearly all of which contain great information!), but I'd like to share my own as well as how I prepared. I hope my comments do not come across as tooting my own horn--instead my intention is to drive the point across that with passion, dedication, and tenacity you can achieve anything. If you are reading this, you are likely aspiring to take OSCP, and I assure you that YOU CAN DO IT! (But you have to try harder!)

Background

Key point: You don't need to possess a PhD in computer science or whatever to learn what you need for this certification. Passion and dedication trumps all else.

I started college as a computer engineer student, but was put off by all the math, so I switched my major to Japanese (I see you laughing, but I am actually fluent now!). I didn't have any formal computer engineering/IT-related training. I've liked computers since I was little, and I have always been allured by hacking. (Yes, the movie Hackers was an influence growing up.)

Rewind the clock to February 2017. I quit my job of 8 years at a major video game company to make a career shift to the IT field with the hope that I could get into infosec one day. I honestly had never heard of penetration testing before, and when I read about it, I made a decision to go full force to learn. I then discovered the existence of OSCP and thought it to be a pipedream. It wasn't until I really started hitting HackTheBox hard that I felt I stood a chance against OSCP.

The Test

Attempt 0x01 - Segmentation Fault


Key point: Keep it simple and try not to let yourself overthink things.

My test started at 6PM. As I am a night shifter in a SOC, I woke up at around 4PM, grabbed an energy drink, and started mentally preparing. After guzzling down most of my drink, I was anxiously awaiting the VPN connection package to access the exam lab. When the email came, a combination of the caffeine and nervousness hit and I was shaking like crazy. It took a bit of time to calm down and get settled. My strategy going in was: buffer overflow machine > 10 point machine > 20 point machine > 20 point machine > 25 point machine. Sticking to this, within 3 hours I finished the BOF, a 10, and a 20. 55 points and 20 hours of time left--I was in great shape! Working on the other 20 point box was were things took a turn. I had a ton of information to play with from my enumeration, but I wasn't making any progress. Taking a cursory look at the 25 point machine, it looked rather daunting, and I decided to just focus on the 20 pointer and go all in. However, I just wasn't able to get a shell. I worked hard up until time was up, but unfortunately I just couldn't manage to get it.

The next day after I woke up, I took a look over my notes and the screenshots I had captured, and I noticed what I had missed. Obviously the test was already over and it was too late to do anything.



However, it taught me the lesson to not overcomplicate things. Had I kept it simple and followed-up on my instincts of what I was looking at, I would have had it. I wasn't going to let this set me back. I scheduled my second attempt for a week later, and I was more confident than ever that I would succeed the next round.

Attempt 0x02 - Success

Key point: Take the time to do your lab report!

This time around I went in much calmer and felt really great. Once again, after 3 hours I had finished the BOF, the 10 pt, and a 20 pt machine. I was in the same position I was last time. 55 points and plenty of time left on the clock to lock in another machine. Instead of only looking at the 20 point, I really dug into the 25 point box as well, and I am very glad I did. The 20 point box was rough this time. It felt like a brick wall, and I was very lost on it. I switched my focus to the 25 point box, and after a lot of effort, I found a way to get a low priv user shell on the 25 point box. By this point I was exhausted. I had completed the lab report for an extra 5 points towards the test, so I felt that I should be able to pass the exam factoring that into the equation, but I didn't give up and kept trying to escalate privileges.

Unfortunately, it was dead end after dead end, and sleep finally took over. I decided to set my alarm early in the morning to sit down and write a quality exam report as well as touch up my lab report to ensure that I received full credit for everything. Still super nervous, I turned everything in.

About 24 hours later, I saw the email come in stating that I had passed! It was the best feeling in the world knowing my hard work and effort paid. 


Preparation


We all learn and retain information differently, so what worked for me might not be applicable to everyone. However, I hope the following serves as a good reference for those who are curious.

Phase 0x01 - CTFs and VulnHub

Before discovering HackTheBox, I was a CTF and VulnHub junkie. They were the real gateway drug into all of this.

CTFtime.org - This lists every upcoming CTF event. Join them and try as best as you can to do the challenges. While some challenges may not be directly related to penetration testing, it will teach you a ton, including how to look at problems in different ways. 

The best thing about this site is the archive of writeups. If you can't solve a challenge, come back when the CTF is over and BE SURE to read the writeups people post. You will learn so much from doing this.

VulnHub - This is a treasure trove of vulnerable boxes to practice penetration testing techniques against. 

If you are brand new to all of this, my advice is the following: look on YouTube for walkthrough videos of some beginner boxes that look interesting to you, boot them up, and follow along. I did this for a while when I was starting until I got comfortable with the methodology and learned more. Eventually you will have to take the training wheels off and fly free, but it is a great way to understand the process. 

Phase 0x02 - Hack The Box

I was working with someone on a CTF and they told me about Hack The Box. Following their recommendation I checked out the platform and I was blown away. Vulnerable boxes and CTF challenges all rolled into a single site! 

Hack The Box

I've had a lot of people who are currently in the OSCP labs ask me for advice, and I am surprised that many of them haven't done any Hack The Box. While it is true that most of the boxes are more CTF-y in nature and not necessarily what you may find in the real world, the training they provide is invaluable.

I strongly suggest working through as many boxes as you can before OSCP. 

Additionally, be sure to check out the YouTuber Ippsec. He does walkthroughs of retired Hack The Box machines and every video is loaded with learning. Make sure to take notes and watch the videos more than once!

Phase 0x03 - OSCP Labs

Time permitting, do every single machine in the lab. I went hardcore and finished every machine by the 35 day mark of my lab time, but I literally spent all of my non-work hours in the labs. They reinforce the methodology and each one has it's own takeaways. 

Along that same line, as I mentioned previously, take the time to do your lab report. I recommend starting PWK by reading the course materials and doing as many exercises as you can before hopping into the actual boxes. You will be able to complete exercises as you go through boxes, so don't worry about getting them all done, but start getting into the habit of documenting everything you do. 

Tools for documentation (take your pick):
KeepNote
CherryTree 

By the time you have done all of the above, you will have experienced so much and have seen so much that you will be ready for nearly anything they throw at you. Take good notes for everything you do for reference later. I personally keep a handwritten notebook of everything as well. This pushes the retention of knowledge further for me. Give it a try and see if it helps!

Conclusion

This certification was a journey. I almost feel empty that it's over now, but OSCE is in my crosshairs now. If you have any questions or are interested in study tips, etc., feel free to talk to me on the NetSec Focus Mattermost. I am always happy to help others grow and achieve their infosec goals. Most importantly: don't give up! It may seem rough at times, but I guarantee you will be able to pull through with the proper dedication. Good luck!







tags: