Sunday, June 21, 2020

Approach to Crack OSCP Examination


Table of Contents

  1. Overview
  2. Phases
    1. Pre-Enrolment
    2. Post-Enrolment
    3. Examination
  3. References

Hi techies!! Starting from OSCP Preparation till examination this journey has been really amazing and full of learnings for me. A 24 hours exam where everything you know has to be done practically, from trying to exploit machines to gaining root access. This all sounds extremely exciting and challenging. And it is!! You will experience lots of excitement, pain, suffering, confidence, frustration, and motivation where learning will be constant throughout the journey. This certification should be done by everyone who really wants to get themselves into the Penetration Testing field.

Well, a lot of people have been asking me about OSCP certification mainly focusing on how to start preparing for it. In this blog, I will be sharing some ideas/strategies for OSCP preparation. This blog can be helpful for both beginners as well as intermediates who want to attempt OSCP exam. Herein, I will also be sharing OSCP resources/material which I found useful during my journey.


Overview



The OSCP certification will be awarded on successfully cracking 5 machines in 23.45 hours, which comprises of one machine for exploit writing i.e. Buffer Overflow, and holds maximum points, while the other 4 will be for enumeration, exploitation, and post-exploitation. For practicing different attack scenarios and hands-on, an online lab access will be given that has 55+ machines with different versions of both Linux and Windows. After sufficient practice and hard work when you feel confident, you can finalise the exam date. 

Before going into it, a small suggestion for you guys - DON’T do the certification just for getting the certificate, do it because you really want to LEARN it. 


Phases

Firstly, if you are really excited to start preparing for OSCP give yourself a dedicated time/hours where you will just be preparing for the OSCP exam and nothing else. Never Give up attitude, Creative hacker way of thinking, Lots of interest, patience, and enthusiasm. is what it takes! It can be 1-2 or 3-4 hours daily or more but let it be fixed(In case you are lazy, try rewarding yourself once you meet your weekly target to stay motivated). For you to begin, I have divided the OSCP Preparation in three phases i.e. Pre-Enrolment, Post-Enrolment and Examination. Below is a small checklist that I followed before appearing for the exam.

  1. Pre- Enrolment
If you are not a newbie in Pentesting and have the understanding of Linux Commands and tools, Web Application Attacks and Buffer Overflow exploitation, you can skip this section and start enrolling. For the rest, you will need to cover the following aspects. 
Note: Link to understand all the below mentioned in given in - https://github.com/RihaMaheshwari/OSCP-Preparation-Material/

    • Linux and Windows Environment - Play around with Kali and Windows to be familiar with both OS. 
    • Linux and Windows Commands - Knowing Linux and Windows commands will speed up your process. Brush up on them!
    • Basic Programming Skills - Understand how to read programs/scripts - Php, Python, Perl. You will need to debug and rewrite exploits, so learn Bash Scripting. This will help you to automate tasks. 
    • Nmap - Retouch different scanning techniques and NSE Scripts. You can also create a recon script to automate basic scans.
    • Web application Attacks - SQL Injection, Local File Inclusion, Remote File Inclusion, XSS, and Command Execution - The machines in labs will have many web application content. So, practice RCE through SQLi, LFI, RFI and bypassing web security filters for injection attacks.
    • Reverse Shell and Bind Shell - Have a clear understanding of Reverse Shell and Bind Shell and how to create a payload for the same.
    • Netcat & Ncat - This is the most common tool and you will be using this a lot. Go over it!
    • Metasploit FrameworkBrush up on using msfvenom, creating payloads with different formats, using staged vs non-staged payloads and using multi handlers. Also go through the metasploit post-exploitation module.
    • Wireshark and Tcpdump - When the machine doesn't have a GUI, you’ll be using Wireshark to debug your exploit - or Tcpdump. Look over it!!
    • Windows and Linux Privilege Escalation - Most important part of all. You may get the shell easily but without much practice in Privilege Escalation, it will be difficult. Understand kernel exploits, misconfigurations like weak service/file permissions, CronJobs and NFS/Shares.
    • Escaping restricted shells and spawning shells - Understand the difference as you will get this a lot during your OSCP.
    • File transfer - Go through the different techniques to transfer files in Windows and Linux. This is important to understand.

  • Practical -

    • Setup your Lab - Install Kali Linux and configure it according to your requirements. 
    • Metasploitable - A vulnerable Linux Machine for you to exploit. You will get a lot of content on the Internet to exploit this machine in different ways. Practice and understand this.
    • Buffer Overflow - Buffer overflow is a very important concept that you need to thoroughly understand. But don’t worry if you know nothing about buffer overflows. I have provided the links which will help you understand the concept of a buffer overflow in the given github repo, and you can try exploiting the vulnerabilities on the machines provided in the github repo.
    • Read Write-ups - Read write-up/walkthrough of different machines from HacktheBox & Vulnhub and make your notes.
    • Vulnhub Machines - After completing these you are ready to move to exploiting different types of machines. The link contains OSCP like machines for Beginner, Intermediate Level. Try it!
    • Privilege Escalation Techniques - Understand Windows and Linux Privilege Escalation techniques.

  • Note: You can find all the course details like syllabus, pricing, prerequisites and guidelines in the Official Page.  

  1. Post-Enrolment
    • Pre-Lab Access
      • Vulnhub - Try exploiting as many machines as you can in Vulnhub. It will help you understand privilege escalation clearly.
      • Hack The Box Machines - By now you will have a basic understanding of what exactly you will do when you get an IP address. Now you can start exploiting Hack The Box machines. Get root access to at least 5 machines.
    • Post-Lab Access
      • Read PWK PDF - Start with reading the PWK PDF that has been enhanced in 2020 from 380 pages to 850 page and includes the hands-on mini-network to reproduce the steps, mentioned in the book. You will receive this content post-registration. A lot of new content has been added, so make sure you cover it.
      • Watch OSCP Videos - Along with the PDF file, you will get 17+ hours of video (according to new guideline) which you must cover. To be honest when I gave my exam in 2019, I didn’t really complete watching all the videos. But if you are a beginner and don’t really have any experience in Web/Network Application VAPT then I recommend you to watch all the videos.
      • OSCP Labs - Now you have the OSCP Lab access. Be ready to work hard straight for 1 month, with a dedicated routine if you want to clear it. Over 70+ Machines will be there (for people enrolling in 2020) and you will be starting with the basic reconnaissance process all the way from exploiting to gaining root shell. Exploit as many machines as you can. If you have a job then maybe you can use your labs in the morning and evening. A piece of advice while doing labs, do not spend too much time in documenting the Lab machines. Take the notes and exploit machines as many machines as you can.
    • Examination
      • Best Timelines - It is best to book the date for the OSCP examination as soon as you complete your Labs, as you will be having a lot of practice in-hand. You may have the feeling that you are not prepared, but it's normal to feel that way. Prepare your mind to attempt the exam at the earliest. I scheduled my exam to begin at around 5 pm. Since I am a night person and scheduling it in the evening worked for me. I had enumerated all the machines but didn’t have access to even a single and 10 hours had already passed. I was fed up and tired but didn't compromise on my routine planned for the big day. I slept in-between 3-7am and resumed the exam with fresh mind and breakfast. Second day turned out to be in my favor and I was able to crack the machines back-to-back, as if I already knew everything (all thanks to the enumeration I did previous night, thus enumeration is the key). And it goes without saying “Try Harder”...!!!
      • Tips for Exam
        • Be confident & keep your calm
        • Prepare your meals in advance and stay hydrated
        • Plan your exam day routine and do include 3-5 hrs of sleep to stay in the game
        • Enumerate well - Sometimes the answers lies in front of us, but we ignore to see through
        • Take regular short breaks to go for a walk and get some fresh air
        • When I gave the exam I started recording the screen(helped me in documentation), but with the new 2020 guideline screen recording is forbidden. So, make sure you proactively take screenshots/PoCs immediately after each exploitation step.
        • Don't panic at the beginning or in between if you are unable to crack a machine (Enumerate/Switch to other machine or take a short break)
        • Submit the flags (local.txt & proof.txt) immediately in the exam panel once you fetch them
        • Remember, you only Fail when you stop trying, so TRY HARDER!
      • Reporting
        • After completing the exam, you will be having 23.45 hrs to prepare the report and share it. You can refer to the Reporting guide which also have a Report Template. (Tip: Keep your own basic report prepared to save time)
        • Before starting the report, read the offsec reporting guidelines carefully and build your report in the exact format covering all the details as mentioned.

There are no shortcuts, customize this approach according to your schedule. 

Hope this helped!! Leave your comments below. All the best!!

References: