Adithyan's Blog
Search…
OSCP Preparation Guide
How I Passed OSCP with 100 points in 12 hours without Metasploit in my first attempt
OSCP Digital Certificate
I’m 21 years old and I decided to take OSCP two years ago when I was 19 years old. I had to wait for 1 and a half years until I won an OSCP voucher for free. Not just a normal 30 days lab voucher, but a sophisticated 90 days lab voucher that costs about 1349$. Here’s How I cracked Secarmy’s OSCP challenge and won the OSCP lab voucher for free.
Watch the Webinar on Ultimate OSCP Preparation Guide :
Ultimate OSCP Preparation Guide 2021
Passive Preparation 2 years ago :
Whenever someone releases a writeup after passing OSCP, I would read it and make notes from their writeup as well. This came in handy during my exam experience.
Among the OSCP syllabus, if there’s something that I had no idea of 2 years ago, then it’s definitely buffer overflow. I knew that it was crucial to attaining the passing score. So I followed Abraham Lincoln’s approach.
The best way to get rid of your enemies is to make them your friends- Abraham Lincoln
Even though I had no idea when I’ll be taking OSCP, or even will I be able to afford it, I just started learning buffer overflows hoping that at one point in my life, I will be able to afford the exam cost. LOL… Crazy that, it all started with a belief.
Passive Preparation 1 year ago :
HackTheBox for the win. I started HackTheBox exactly one year ago (2020) after winning an HTB VIP subscription in Nova CTF 2019. I practiced OSCP like VM list by TJNull. Because I had a few years of experience in application security from the bug bounty programs I participated in, I was able to get the initial foothold without struggle in HTB machines. But that’s not the case of Privilege escalation.
So, I wanted to brush up on my Privilege escalation skills. You can find all the resources I used at the end of this post. Getting comfortable with Linux and Windows file systems is crucial for privilege escalation. This will help you find the odd scripts located at odd places. Spend hours looking at the output of privilege escalation enumeration scripts to know which are common files and which aren’t.
Linux Filesystem Architecture
Windows Architecture
Active Preparation 45 days :
My PWK lab was activated on Jan 10th, 2021. My lab experience was a disappointment. I felt like there was no new learning. I pwned just around 30 machines in the first 20 days I guess, but I felt like I’m repeating. So, I paused my lab and went back to TJ null’s recent OSCP like VM list. Pwned 50–100 vulnhub machines. I sincerely apologize to Secarmy for wasting their 90 days lab 😩
Whenever I tackle new machines, I did it like an OSCP exam. I will always try to finish the machine in a maximum of 2 and half hours without using Metasploit. Of course, when I started pwning machines a year ago, things weren’t going exactly as I planned. It took me more than a day to solve an easy machine and I was stuck often. But I made notes of whatever I learn. So when I get stuck, I’ll refer to my notes and if I had replicated everything in my notes and still couldn’t pwn the machine, then I’ll see the walkthrough without guilt :)
Feel free to make use of walkthroughs but make sure you learn something new every time you use them
I never felt guilty about solving a machine by using walkthroughs. New skills can’t be acquired if you just keep on replicating your existing ones. Walkthroughs are meant to teach you. It’s not like if you keep on trying harder, you’ll eventually hack the machine. You aren’t here to find zero days. Use walkthroughs, but make notes of them so that you won’t have to refer to a walkthrough if you had to pwn the same machine a few days later.
In mid-February, after 30 days into the OSCP lab, I felt like I can do it. There’s no clear indication of when you can take it. But I decided to schedule the exam after this.
How did I know I was ready?
Whenever I start a machine, I always have this anxiety about whether I’ll be able to solve the machine or not. After continuously pwning 100+ machines OSCP lab and vulnhub for straight 40 days without rest, at one point, my anxiety started to fade and my mindset was like “Chuck it, I learned so much in this process. It’s just an exam. It would be worth to retake even if I fail”.
After reaching that point, I faced the next few machines without fear and was able to compromise them completely. On the 20th of February, I scheduled to take my exam on the 24th of March. After scheduling, my time started to run in slow motion. I didn’t feel like pwning any more machines as I have almost completed TJNull’s list. I was afraid that I would be out of practice so I rescheduled it to 14th March. From, 20th February to 14th March (22 days prior to exam day), I haven’t owned a single machine. I just kept watching videos, reading articles and if I come across a new technique that my notes don’t have, I’ll update my notes.
Timeline :
My timeline for passing OSCP
Exam Setup :
I had split 7 Workspace between Kali Linux. 5 Desktop for each machine, one for misc, and the final one for VPN. Took a VM snapshot a night before the exam just in case if things go wrong, I can revert to the snapshot state. Created a recovery point in my host windows as well. I used OneNote for note-making as that syncs with the cloud in case if my host machine crashes. In short, I was prepared for all kinds of worst-case scenarios as I was expecting the worst to be honest. I even had RedBull as a backup in case if too-much coffee goes wrong 😆 Thank god it didn’t and I never had to use RedBull.
Workspace for OSCP
Exam Experience :
I scheduled my exam to start at 5.30 A.M. Because I wanted to finish the exam in 24 hours without wasting time for sleep (although people say sleep is crucial, I wanted to finish it off in one run and sleep with peace). Sleep doesn’t help you solve machines. It will just help you take a rest. But working for 24 hours is fine with me. That way, even if things go wrong, I just have to stay awake till maybe 2–3 a.m to know if I can pass or not, and not the whole night. If I had scheduled anytime during late morning or afternoon, then I might have to work all night and my mind will automatically make me feel like I’m overkilling it and ask me to take a nap. So, 5 a.m was perfect for me. Woke at 4, had a bath, and drank some coffee. Logged into proctoring portal at 5.15 and finished the identity verification.
Respect your procotors. Greet them. Get comfortable with them. BE sure to remember that they are humans, not bots lol. My Proctors were super friendly and coped with me even when I had few internet troubles and screen sharing issues. I had no trouble other than that and everything was super smooth.
My strategy to pass:
- 1.BOF
- 2.25 pointer
- 3.20 Pointer
Thankfully things worked as per my strategy and I was lucky.
Luck is directly proportional to the months of hard work you put
Created a
targetst.txt file. Pasted the 4 IPs (excluding BOF) into targets.txt and started with1
autorecon -t targets.txt — only-scans-dir
Copied!
Buffer Overflow — 25 Points :
While that was running, I started with Buffer Overflow like a typical OSCP exam taker. I’m super comfortable with buffer overflows as I have almost 2 years of experience with it. I had to finish it in 30 minutes and hell yeah, I did it. Though there were few surprise elements there that I can’t reveal, I didn’t panic. Because the writeups of OSCP experience from various people had always taught me one common thing
Pray for the Best, Prepare for the Worst and Expect the Unexpected
Took a break for 20 minutes right after submitting proof.txt for the Buffer Overflow machine.
Hard 25 Point machine :
3 hours to get an initial shell. Took two breaks in those 3 hours but something stopped me from moving on to the next machine. Breaks are helpful to stop you from staring at the screen when the enumeration scripts running. The only hurdle I faced in OSCP is the same issue that we face on HackTheBox. The VPN is slow, I can’t keep my enumeration threads high because it breaks the tool often and I had to restart from the beginning. So, I had to run all the tools with reduced threads. So, the enumeration took 50x longer than what it takes on local vulnhub machines. But I never gave up on enumerating. Because, in one of the OSCP writeups, a wise man once told
I’m not crying, you are
Once I got the initial shell, then privilege escalation was KABOOM! The only thing you need is the experience to know which one is fishy and which one isn’t. This experience comes with time, after pwning 100’s of machines and spending countless hours starting at
linpeas/winpeas output.After 4 hours into the exam, I’m done with buffer overflow and the hardest 25 point machine, so I have 50 points in total. I’ll pass if I pwn one 20 point machine. Didn’t take a break and continued to the 20 point machine.
First — 20 point machine:
10 minutes to get the initial shell because all the enumeration scripts were already done and I had a clear path. Thank god, the very first path I choose was not a rabbit hole. It would have felt like a rabbit hole if I didn’t have the enumeration results first on-hand. So, I highly suggest you enumerate all the services and then perform all the tests. Trust me, testing all your techniques may take 30 minutes hardly if you’re well-versed but a full-scale enumeration in that slow VPN will take you hours.
Also, this machine taught me one thing. Sometimes, an abundance of information from autorecon can lead you to the rabbit hole. This is where manual enumeration comes in handy. I first saw the autorecon output and was like, “Damn, testing all these services gonna cost me a day”. So, I discarded the autorecon output and did manual enumeration. It gave me a confined amount of information which was helpful for me in deciding which service to focus on and ignore.
So, after the initial shell, took a break for 20 minutes. Came back. Escalated privileges in 30 minutes. That moment, when I got root, I was laughing aloud and I felt the adrenaline rush that my dreams are coming true. 5 hours 53 minutes into the exam and I already have a passing score of 70 points. I took a 30 minutes break and had my breakfast. For these 6 hours, I had only been sipping my coffee and water.
Easy 10 Point machine:
DO NOT UNDERRATE THIS MACHINE! This is the trickiest machine I had ever seen. Partly because I had underrated this machine from the writeups I read. This cost me an hour to pwn. So, after 07:23 minutes into the exam, I have 80 points and I’m in the safe zone 😄 But I didn’t take a break. I did all the manual enumeration required for the second 20 point machine and ran the required auto-enumeration scripts as well. Took a break for an hour.
Second — 20 point machine:
It took me 4 hours to get an initial foothold. Well yeah, you can’t always be lucky to spot rabbit holes. I was tricked into a rabbit hole but again, deployed the wise man’s Enumerate harder tip. Bruh, I got a shell in 10 minutes after enumerating properly 😐 I felt like I was trolled hard by the Offsec at this point.
Privilege escalation is 17 minutes. Hehe. I can’t believe my eyes I did it in 17 minutes that I had to recheck and rerun the exploit multiple times. I was so confused whether what I did was the intended way even after submitting proof.txt lol 😆
So yes, I pwned all the 5 machines and attained 100 points in 12 hours and 35 minutes (including all the 6 breaks which account for 2.5 — 3 hours ). Though it seems like I completed the exam in ~9 hours and 30 minutes, I can’t neglect the break hours as the enumeration scripts have been constantly running during all the breaks. I took another hour to replicate all the exploits, retake screenshots, check if I have the necessary screenshots, and ended the exam. I made sure I have the output screenshot for each machine in this format.
Windows :
1
type proof.txt && whoami && hostname && ipconfig
Copied!
Linux :
1
cat proof.txt && whoami && hostname && ip addr
Copied!
Exam Timeline :
OSCP Exam Timeline
Metasploit :
I forgot that I had a tool called Metasploit installed even when I was extremely stuck because I never used that during my preparation. In fact, during my preparation, I was ignoring the rapid7 blog posts while searching for exploits LMAO!
Also, remember that you’re allowed to use the following tools for infinite times.
- multi handler (aka exploit/multi/handler)
- msfvenom
- pattern_create.rb
- pattern_offset.rb
So, make use of msfvenom and multi handler whenever you feel like the normal reverse shell isn’t working out and you need to use encoders. Refer to the exam guide for more details.
Offsec Exam guide about the use of Metasploit
Reporting :
I used the standard report template provided by offsec. Just made few changes and gave a detailed walkthrough of how I compromised all the machines. My report was 47 pages long. I wrote it as detailed as possible. I did some background research on the vulnerabilities I exploited, including the CVE numbers, the CVSS score, and the patches rolled out for the vulnerabilities. I even reference the git commits in which the vulnerability has raised and the patch has been deployed.
Result Day :
I had to wait 5 days for the results. This was probably the hardest part of OSCP for me. Though I had 100 points, I could not feel the satisfaction in that instance. I have seen writeups where people had failed because of mistakes they did in reports. I waited one and half years to get that OSCP voucher, but these 5 days felt even longer.
Results received
View my verified achievement here: https://www.youracclaim.com/badges/0dc859f6-3369-48f8-b78a-71895c3c6787/public_url
OSCP Preparation Plan :
This is my personal suggestion. Instead of buying 90 days OSCP lab subscription, buy 30 days lab voucher but prepare for 90 days. Here’s how you can do it.
- 1.Practice OSCP like Vulnhub VMs for the first 30 days
- 2.Buy HackTheBox VIP & Offsec Proving Grounds subscription for one month and practice the next 30 days there. Recently, I hear a lot of people saying that proving grounds has more OSCP like VMs than any other source.
- 3.Finally, buy a 30 days lab voucher and pwn as many machines as possible.
HackTheBox VIP and Offsec PG will cost 15$ and 20$ respectively. OSCP 30 days lab is 1000$. So, It will cost you 1035$ in total. 90 days lab will cost you 1350$. You can essentially save up to 300$ following my preparation plan.
Preparation Tips :
- You’ll run out of techniques before time runs out. So learn as many techniques as possible that you always have an alternate option if something fails to produce output.
- Try harder doesn’t mean you have to try the same exploit with 200x thread count or with an angry face. Go, enumerate harder.
Exam Tips :
- Bruh you have unlimited breaks, use it. You aren’t writing your semester exam.
- 24 reverts are plenty enough already. Go use it.
- Caffeine is a must.
- You’re not gonna pentest a real-world machine. You’re gonna try to hack into an intentionally vulnerable machine that is vulnerable to a specific exploit. Exploiting it right in 24 hours is your only goal. So, OSCP is actually a lot easier than real-world machines where you don’t know if the machine is vulnerable or not.
Tip for Enumeration :
Enumerate more means:
- Scan ports, scan all the ports, scan using different scanning techniques,
- brute force web dirs, brute force web dirs using different wordlist and tools
- check for file permissions, check for registry entries, check for writable folders, check for privileged processes and services, check for interesting files,
- look for a more suitable exploit using searchsploit, search google for valuable information, etc.
- webserver version, web app version, CMS version, plugin versions
Tip for Foothold :
- Password reuse
- The default password of the application / CMS
- Guess the file location incase of LFI with username
- username from any notes inside the machine might be useful for Bruteforce
- Try harder doesn’t mean you have to try the same exploit with 200x thread count or with an angry face. Go, enumerate harder.
Credits :
I thank my family for supporting me. My parents are super excited, even though they don’t know what OSCP is at first, they saw the enormous nights I have been awake and understood that it’s a strenuous exam. I thank Secarmy(now dissolved into AXIAL), Umair Nehri, and Aravindha Hariharan. I’m forever grateful to all my Infosec seniors who gave me moral support and their wisdom whenever needed. Finally, I thank all the authors of the infosec blogs which I did and didn’t refer to.
FAQ :
How many years of experience do you have?
4 years in Application and Network Security. Overall, I have been a passive learner in Infosec for 7+ years.
How many months did it take you to prepare for OSCP?
One year, to be accurate. Exactly a year ago (2020), I pwned my first machine in HTB. From then, I actively participated in CTFs.
What are you studying?
I completed my undergraduate program in Information Technology and will be pursuing my Masters in Information Security at Carnegie Mellon University this fall 2021.
Resources :
- TJnull’s list updated list 2021: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0
OSCP Journeys and Preparation guides:
Cheatsheets :
Linux Privilege Escalation :
Linux Privesc Tools :
Windows Privilege Escalation :
Last modified 6mo ago
Copy link