Offensive Security Certified Professional – Lab and Exam Review

The OSCP is one of the most respected and practical certifications in the world of Offensive Security. With this post, I intend to share my experiences as well as some tips and tricks for going through lab machines and the arduous 24 hour exam. I hope this helps you in getting an overall feel for the PWK Course and OSCP Certification.

To be honest, I took this exam because I was hungry for knowledge and I was not shy of self study. I was willing to put 6-8 hours every week day and 25-30 hours on weekends. Did everything go smooth? Absolutely not. Stuff happens – whether personal or work related so build that time frame in your planning. If you’re married, a patient and caring wife DOES HELP! You bet – it all pays off in the end.

Where do I stand?

Well, first of all, I’d highly recommend taking an inventory of one’s skill set for the Certification topics. It’ll save you some lab time if you’re familiar with the following topics:

I’d say start out with a 60 day lab and schedule your exam right after that or towards the end of your lab time.  I took plenty of time to go through each section of the study material(s) and made sure I finish all the Course Exercises while taking good notes. Do this and you’ll thank me later!

Contrary to what most people recommend, I felt pretty comfortable with MS One-Note for taking notes and screenshots. For me, ubiquity was of prime importance and I needed access to my notes everywhere. I also made frequent backups of the Kali VM that I obtained from OSCP registration link. This is a custom Kali image designed specifically for OSCP so try not to update the Kali distro or it may make one or two course exercises difficult to finish.

Getting Dirty and Wild in the Lab

The lab environment is comprised of various different subnets. While some machines are completely independent, some of them will have dependency on other machines. If you’ve done all the Course Exercises, you may have already gotten a few machines. Following links will help you big time while you’re in the middle of lab machines, scratching your head:

Remember, the goal of the lab environment is not to crack all the 40+ machines but to develop a practical strategy for effective enumeration, exploitation and post-exploitation of any machine that comes your way. I’m going to share a custom enumeration road map that I created for myself but which can benefit you while you’re there huffing and puffing.

 

There needs to be absolutely no confusion on what steps need to be taken for a machine with say a web port open. I’ve heard that you should follow your intuition but when you’re learning a new skill, intuition may deceive you! I’ve spent countless hours drilling down a rabbit hole just because it felt right. Sometimes I was right but not most of the time. Don’t spend a week on a machine especially when you’re starting out. Remember, success leave clues. Also, a good note taking habit will take you a long way not just for writing reports but also for recollecting info on a machine when you revisit it after a week. I also made a spreadsheet out of different exploits I came across but that wasn’t too useful as most of the machines required little tweaks. No two machines are the same!

Don’t give up!

OSCP self study and tackling labs alone can be intimidating but there are forums and IRC channels where you can get a lot of hints. Also, there’s an option to get some hints from offsec admins in case you just can’t find a way out. Don’t count on it too much though! You ain’t getting anything more than a hint.

Hang in there! And don’t forget your root dance every time you 0wn a machine. It’s incredibly exciting when you get root after hours or even days of sweat and sleepless nights.

Pitfalls to lookout for:
  • Not doing enough post exploitation: While the joy of getting root is inexplicable, hold your horses and dig in for every bit of information you can gather. Does the machine have any database? Who is the machine talking to? Does the machine has any vulnerability (like XSS) which can be used to Pwn other machines? Do your homework because it’s very frustrating when you miss this information and now can’t get into other machines because they depend on it.
  • Not practicing all the tools available: In the beginning, I got excited because I was able to break into a number of machines using Metasploit but that doesn’t give a whole lot of learning experience, does it? Be sure to know and use all the Kali tools available in your arsenal. After all, the automated tools like MetaSploit are restricted in the exam.
  • Sticking to one methodology: Well, just because you were able to brute force your way into one machine doesn’t mean you can do that for all of them! Give yourself a timeout. If brute forcing doesn’t work within 30 min, the machine is not designed for getting in that way. Of course, the results of brute force always depend on the word list you feed it. May be you can get a better word list?

Am I Ready for the Exam?

That’s a tough question to answer. At the least, I’d say get all the public machines (with exception of few of course) and some machines from each subnet to be able to feel confident about the exams. It’s not the number of machines that you crack but the concepts and strategy that you develop that help you during the exam. Also, finishing all your Course Exercises would help big time during the exam – I can guarantee you that!

You’ll know that you’re the one ready. You’ll feel just right!

The Big Day – OSCP Certification Exam

I’m sure you realize that you’ll need plenty of rest before your scheduled 24 hour exam.  I took my exam to begin at  9 AM  just to ensure I’m getting the most off my body clock. What did I do the day before? I was wrapping up my lab report – make sure you do as much of reporting as possible in order to have less stress after the exam. Right before the exam day, I also reviewed the concepts and some tough machines that I cracked in my lab.

With palms sweating and Try Harder song in my mind, I waited impatiently for the clock to strike 9 on the exam day. I stuck to my strategy that I’d developed for enumeration and exploitation of machines while cracking lab machines and it worked out fine. Did I clear the exam in first attempt? Nope. But that failure paved the path for creating a better strategy in my next exam and I knew which machine to tackle first. Unfortunately, I’m unable to share details here but I’d gathered enough points to clear the exam by the 10th hour.

The first few hours are crucial

Oh trust me, it’s exciting. You’ve prepared for this moment for months and now you’re in it! I feel like it’s very important to get 1 or 2 machines down quickly. During the first 5 hours, I barely took any break longer than 3 minutes. My wifey served me snacks and drinks in between which helped big time. I quickly had 2 machines down in first 2 hours and had gathered half the points to clear the exam.  After that, it starts getting steeper. You may want to take a longer break if you’re stuck. I’d try a machine for 4 hours max before moving on to next one.

Take good notes and be sure to read the exam instruction on screenshots and getting points for a machine. There may come a time when you get a brain freeze and just don’t know what to do next. Do not over stress, take a break and start over again.

After the exam time was over, I took a few hours of rest before starting my exam report. Remember, the exam report is mandatory and you’ve 24 hours after the exam to submit it. If you’ve taken good notes, this shouldn’t take more than 2 hours.

Finally, after exam report submission, the OffSec team sends a confirmation email in a few hours. The result comes in 2-3 business days but those days feel really long! For me, I submitted the exam report late Thursday and I got the result on Saturday morning. That sweet email you receive when you clear the exam makes you feel like on the top of the world.

I wish you good luck if you’ve already opted for OSCP and if you’re still on the edge, I’d say take a deep breath and jump in!

I look forward to hear your story in the comments below.

Enumeration Roadmap (for OSCP Labs):

As promised earlier, I’m going to share my specific strategy that I used for enumerating the lab machines. Please take what you like and tweak it to customize it for what you find best. You can also go a step further and put these all in a code for automation during exam. These are my chicken notes so please bear with me. Here we go:

Step 1: Nmap basic scan

Nmap -Pn -p- -vv <ip address>

Nmap -Pn -p- -sU -vv <ip address>

Step 2: Nmap version and vulnerability Scan:

Nmap -Pn -sV -O -pT:{TCP ports found in step 1},U:{UDP ports found in step 1} -script *vuln* <ip address>

Grab banners manually for more clarity: nc -nv <ip-address> <port>

Step 3: Any web port(s) for further enumeration?

Nikto -port {web ports} -host <ip address> -o <output file.txt>

Dirb http{s}://<ip address>:<port> /usr/share/wordlist/dirb/{common/small/vulns}.txt

Gobuster -u http://<ip-address> -w /usr/share/Seclists/Discovery/Web_Content/common.txt

/usr/share/secLists/Discovery folder has some great word lists

If only web port visible try a bigger list in dirb: /usr/share/wordlist/dirb/big.txt

Use Burpsuite as needed

Do you see any interesting directory containing sensitive data?

Do you see any LFI/RFI vulnerability posted by Nikto? Try fimap: fimap -u <ip-address>

Step 4: Are there any exploits available publicly from the services discovered from Step 2?

Searchsploit <service name>

http://www.securityfocus.com/vulnerabilities

Copy exploit to local dir: searchsploit -m <ID>

Step 5: Manual Poking for Web Pages

Check the Page Source, Inspect elements, view cookies, tamper data, use curl/wget

  • Google alien terms!
  • Anything sensitive there?
  • Any version info?

Search repository online (like GitHub) if the application used is open source: this may assist in site enumeration and guessing versions etc.!

Check HTTP Options

Check for Input Validation in forms (like: 1′ or 1=1 limit 1;#   AND   1′ or 1=1–)

  • NULL or null
    • Possible error messages returned.
  • ‘ , ” , ; , <!
    • Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
  • – , = , + , ”
    • Used to craft SQL Injection queries.
  • ‘ , &, ! , ¦ , < , >
    • Used to find command execution vulnerabilities.
  • ../
    • Directory Traversal Vulnerabilities.

Step 6: Are there any NETBIOS, SMB, RPC ports discovered from Step 1?

enum4linux -a <ip address>

Rpcclient <ip address> -U “” -N

Rpcinfo: What services are running? Rpcinfo -p <target ip>

Is portmapper running? Is rlogin running? Or NFS or Mountd?

http://etutorials.org/Networking/network+security+assessment/Chapter+12.+Assessing+Unix+RPC+Services/12.2+RPC+Service+Vulnerabilities/

Showmount -e <ip address>/<port>

Can you mount the smb share locally?

Mount -t cifs //<server ip>/<share> <local dir> -o username=”guest”,password=””

Rlogin <ip-address>

Smbclient -L \\<ip-address> -U “” -N

Nbtscan -r <ip address>

Net use \\<ip-address>\$Share “” /u:””

Net view \\<ip-address>

Check NMAP Scripts for SMB, DCERPC and NETBIOS

Step 7: Any SMTP ports available?

Enumerate Users:

Mail Server Testing

  • Enumerate users
    • VRFY username (verifies if username exists – enumeration of accounts)
    • EXPN username (verifies if username is valid – enumeration of accounts)

Step 8: How about SNMP ports?

Default Community Names: public, private, cisco, manager

Enumerate MIB:

1.3.6.1.2.1.25.1.6.0 System Processes

1.3.6.1.2.1.25.4.2.1.2 Running Programs

1.3.6.1.2.1.25.4.2.1.4 Processes Path

1.3.6.1.2.1.25.2.3.1.4 Storage Units

1.3.6.1.2.1.25.6.3.1.2 Software Name

1.3.6.1.4.1.77.1.2.25 User Accounts

1.3.6.1.2.1.6.13.1.3 TCP Local Ports

Use tools:

Onesixtyone – c <community list file> -I <ip-address>

Snmpwalk -c <community string> -v<version> <ip address>

Eg: enumerating running processes:

root@kali:~# snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2

Step 9: FTP Ports Discovered

Is anonymous login allowed?

If yes, is directory listing possible? Can a file be ‘get’ or ‘send’?

Use browser: ftp://<ip-address> , What do you find?

Step 10: Password Cracking / Brute Forcing

Try this as the last resort or in case the Passwd/Shadow/SAM files are in possession:

For linux, first combine passwd & shadow files:  unshadow [passwd-file] [shadow-file] > unshadowed.txt

Then, use John on the unshadowed file using a wordlist or rules mangling : john –rules –wordlist=<wordlist file> unshadowed.txt

Identifying Hash: hash-identifier

For other services, use Medusa or Hydra. Eg:

Hydra -L <username file> -P <Password file> -v <ip-address> ssh

Medusa -h <ip-address> -U <username file> -P <password file> -M http -m DIR:/admin -T 30

Using hashcat for cracking hashes:

For WordPress MD5 with salt: hashcat -m 400 -a 0 <hash file> <wordlist file>

Sample Password list: /usr/share/wordlist/rockyou.txt

Step 11: Packet Sniffing

Use Wireshark / tcpdump to capture traffic on the target host:

“tcpdump -i tap0  host <target-ip> tcp port 80 and not arp and not icmp -vv”

14 Comments

  1. Hello Sir/Madam,

    Great job on this detailed guide for OSCP. May I ask if this guide will help me learn from scratch? I mean, I am really a noob in IT security. I know basic CLI, a basic in Ubuntu, kali, mint and centOS. I grew up using windows. No working experience and no training related to IT security.

    I am also an IT graduate so I wonder If i will be able to start this without even experiencing/working related to IT Security,

    By the way, I’m planning to take this in the future.

    Thank you sir. Your response will be much appreciated

    Sincerely,
    Rap Chua

    1. Hi Rap,

      I’d start with some lighter Security certifications like CompTIA Security+ or CEH to get a better understanding of the security concepts and exploits if you’re low on confidence. Good luck for the future preparations. OSCP is not hard, you just have to ‘try harder’.

  2. Hey dude, This for sure is of great help anyone trying for OSCP as a N00b will get a good understanding. Thank you for sharing

  3. Hi AJ,

    I must confess i find this review incredibly useful, particularly the enumeration road maps. I am currently on the labs haven taken several months to prepare ahead so as not to waste valuable lab time.
    However, i would like to defer to you occasionally for little hints if i get stuck.
    Thanks again.

    1. Thank you for the good vibes Wen, it’s because of people like you that I gathered the courage to write a blog on my OSCP experience 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *