My OSCP review

After obtaining my CISSP certification in September 2018, my focus shifted more technical again to obtain the OSCP certificate, which would prove that I don't only talk the talk, but also walk the walk.

I was already working as a penetration tester for a consultancy company for a number of years and gained some experience on hackthebox and vulnhub before applying for the offensive security course. After applying for the course, I've received an email containing the course materials and VPN access on my selected course date. I quickly browsed over the course and the videos, but could not hold myself and dived into the labs.

To start with, I did a full range TCP and UDP nmap scan on all ports to get a good understanding of the network, which I used to create a structure on OneNote as a library to store my documentation.

Quickly, my first machine (Phoenix) was rooted (tip: port 443 should always be your first try to get a reverse shell). The following days I managed to root one or two machines per day in the public network.

Some machines I really liked were Dotty, Payday, Pedro, F4C and of course Pain, Sufferance, Humble and Ghost.

After a month, I had completed all machines in the public network and started thinking about taking the exam. I scheduled the exam in 2 weeks so I would still have some time to prepare and do the buffer overflow exercises, which I had avoided since then and was not looking forward to because it looked so low-level and complicated.

Next Friday night, when everyone was asleep I set aside a few hours to finally learn how that buffer overflow worked. I followed the steps in the video and the coursebook and 3 hours later  at 4 AM I've popped my first shell via my own created buffer overflow exploit. I can confirm what everyone is saying about buffer overflows, it looks daunting and complex, but once you're actually working with it, it's really interesting and logic (see my buffer overflow walkthrough).

Now I was able to identify and exploit buffer overflow vulnerabilities, it felt ready for the exam. In the following two weeks I've rooted the Development, IT Department and finally the Admin network and some confusing pivoting techniques (I recommend using sshuttle). As a final rehearsal, I finished all the course exercises, which I really recommend to do.

As I'm more a night owl, my exam was scheduled to start at 11 PM. Right on time, I've received the email with the VPN connection and exam guidelines. I decided to focus on the buffer overflow machine first whilst I was enumerating the other machines using Reconnoitre.

After 40 minutes, I rooted the buffer overflow machine and the first points were in. Within the next hour I was able to root another box. Less than two hours in the exam and I had 35 points in the bag. The next 2 and a half hours I spent trying to manually exploit a service but could not manage it work. Luckily there was a metasploit module for this particular exploit, so I decided to take the gamble and sacrifice my Metasploit wildcard on this box. Ten minutes later, I was finally able to pop the box using the Metasploit plugin and score another 20 points.

On the fourth Windows box, I was able to quickly get a foodhold but the privilege escalation proved to be challenging. I've tried every privilege escalation trick in my book but nothing succesfull. I decided to focus on the last box which had a very challenging web application attack vector. For the next 5 hours, I switched between battling the privilege escalation and the web application but wasn't succesfull on either. Around 7 AM, I decided to get some rest and sleep for a few hours as I learned in the labs that a fresh mind often works wonders when the situation looks hopeless.

At 10.30 AM I was ready to continue my fight with the two remaining boxes with a fresh head. Within half an hour, I finally found the correct attack vector for the privilege escalation. I couldn't believe that I missed it.

By now, I knew that I passed the exam and made sure that I had all notes and screenshots that I needed to draft the report. I did some additional research on the remaining web application but couldn't figure it out and decided it was time to start working on the report.

By 4 PM, my report was ready and triplechecked that I submitted both my exam and lab report correctly according to the guidelines.

By 9 PM, I've received the redeeming email that I've passed the exam and obtained the OSCP certificate.