I was looking for internship for the summer holidays, but unfortunately I could not secure one, so I decided to get an OSCP certification instead. I chose the one-month lab and scheduled it on the last month of my summer holiday,
partly because I am confident with my prior knowledge in pentest mainly because I am poor, and one-month lab costs 1100+ SGD already. (It is quite sad that I didn’t find an internship to earn money, but found another way to spend money.)
I solved 54 out of 55 machines on lab in about half of the month, I don’t have much to say wrt lab practice, but the way how machines are linking to each other is really interesting.(thumb up for offsec). So make sure to do the post-exploitation information gathering on every machines you rooted, because you might never know which piece of information is going to be useful to root another machine.
The reason I am rushing so much on lab is because I somehow managed to find an internship with dsta for the second half of the month, so I was doing internship for that two weeks, and I didn’t have time to do lab anymore. Anyway, doing lab is just a way to get you familiar with pentest and acquire the basic skills. But the most importantly, you should form your own structured way of pentest, which I believed to be the end goal of lab practicing.
I did the buffer overflow practice in https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/, which I felt to be useful, as practice makes perfect. 熟能生巧
I took the OSCP exam on 23rd August 2019 and got an email telling me that I have acquired the OSCP certification on 28th August 2019. They are quite efficient. =)
Due to the exam policy, I cannot talk about the exam machines, so I will just briefly describe the situation and give some useful tips(I wish) during my exam.
I took the exam at noon 12, I choose this timing so that I could have enough rest before the exam.
The exam started on time, and I headed to do the buffer overflow questions, meanwhile I used the nmap to scan the rest of the targets.
nmap -T4 -p- -A -v -iL target.txt The buffer overflow was not hard, and I have a standard procedure to do it, I thought it won’t take more than half an hour, based on the past experience I have done with the practice, but I got the reverse shell from the target after two hours. =( because of some careless and stupid mistake I made during the exam, I kept crashing the program but not getting the calc.exe to pop. To make the things worse, my kali vm machine accidentally died half way and it was quite frustrating, especially I lost all the nmap scan result and I have to scan it all over again.
After I solved the bof, I went to touch another machine worth 25 points, and it didn’t take long for me to get an low-priv shell, I stucked on the priv-esc for some time. My guessing is that the exam probably won’t test you to use any kernel exploits to get root/system shell(should not be that easy, correct me if I am wrong), so I didn’t bother to test any kernel exploits online, and I just enumerate the process and put every process that I am not familiar with into google to search for relevant exploits, and I got the correct exploit in one shot, and boom, I got the system root back.
with 50 points in hand, 3 hours has passed, I went on to do the machine worth 20 points. I was thinking that I have three more machines to go, 20 * 2 and 10 * 1, I could pass the exam with one more 20-point machine rooted. But nmap kept giving me segment fault when scanning that machine over and over again with
nmap -T4 -p- -A -v ip, which is very weird, so I leave it there and tried another 20-point machine.
It didn’t take me long to get a low-priv shell either, but getting the root shell was failing, by that time, I had approximately 60 points in hand.
I went on to check the nmap scan result of 10-point machine, and implemented some further enumeration on specific services, then left it running at the background. I went back to the 20-point machine which kept failing my nmap. I did simple port scanner with netcat on some common services and ports, and managed to get a low-priv shell, priv-esc did’t take long, and by the time I got a root shell, it was around 4:40 pm. At that point of time, I had total of 25+25+10+20= 80 points, which is enough to pass the exam.
I went back to the 10-point machine, and enumeration has finished, I got the root shell in about 10 minutes(10-point machine right?) At around 5pm, I had 90 points in hand.
I was quite tired by that time, but my ocd was forcing me not to take a rest before I rooted the last machine, I tried all the exploits which seemed quite promising, but could not get a shell. I went to grab a cup of water, washed my face, and sat in front of the computer, decided to do the enumeration all over again. It turned out to be a facepalm moment when I took a step back and examine the machine as a whole part from a higher level. And yes, at around 6pm, I obtained a root shell. And I solved all the five machines.
I told my proctor that I would like to take a rest, and ate my dinner. At about 7:30 pm, I came back and solved the machine all over again, to make sure I have enough screenshots for the report.(I was running OBS studio to record my screen all the time though, I feel more secure to that way). I checked I have submitted the correct flag to the corresponding machine for the last time, and told my proctor that I would like to end the exam early and wished him a good day, at about 12am.
I crafted my 40-page report the next day.(I thought it was detailed enough, but my some of my friends who had OSCP told me that his report was 100+ pages. I was like, “wtf???? seriously?”) I followed the guide to sent the report to offsec, waited three days, and got the email telling me that I have pass the exam.
Some notes I would like to share with you regarding the exam:
- rest is important, make sure you had enough rest before the exam.
- patience and carefulness is crucial. Otherwise you will be spending two hours on buffer overflow. =(
- take your time, 24 hours should be enough for most of people(I think)
- if you don’t have any clues during the exam,
you can ask meenumerate more!!!
- sometimes you would be able to see it clearer if you don’t dive too deep into it.
- Try harder.
I just realized that offsec is not allowing screen recording during the proctored exam, and you can see the rationale behind that restriction here. But I was recording my screen during the proctored exam on 23rd August 2019 and passed the OSCP exam.
By referring to the archives on the Wayback Machine, I realized this restriction was enforced in 2020, as the archive on 14th Jan 2020 didn’t not have such restriction, but in the archive on 18th Feb 2020 had this restriction enforced. So actually I didn’t break the exam rules at that point of time.
本来是想在暑假找一份实习的，然而事不遂愿(《too bad》响起：事与愿违天天不断上演，无能为力的瞬间)，所以就想着考个证吧，然后通过同学认识了另外一个NTU的朋友也准备考，就约着一起报名了，不过他报了两个月的lab，我只报了一个月的。lab开始时间是在七月七号，结束时间是在八月七号，想着开学之后可能也没那么多时间去练习了，就没报那么久的（说白了就是穷，贫穷让我上进）。没找到实习还算了，败家子又败了一千多新币去考一个跟一般人说起来都没听过的证。(/ □ \)
这里顺带提一下那五分是怎么回事。在oscp官方exam guide里提到的bonus point：
可以看到需要lab report和教程后面练习题的报告，lab report需要包含不少于十台机器的pentest report，这倒不是问题，但是还有offsec给我们的pdf的课程后面的练习题，那个就比较麻烦了，而且还费时，权衡一下我就决定不要那五分的bonus point了。
nmap -T4 -p- -A -v -iL target.txt bof题目本身不难，按照以往的经验，我应该能够三十分钟之内就搞定的。然而我在两个小时之后才拿到目标机器的反弹shell。在我骂自己瞎了自己的狗眼1024遍之后，我才在调试机上弹出了个计算器。更惨的是，在我做bof的中途，我虚拟机突然卡死了，然后我只能重启重来，包括nmap的扫描结果都没有保存下来，不得不重新开始扫描，心态那时候就有点崩了。
等我做完bof，我再去搞另外一台25分的机器，搞到一个低权限的shell没花多久时间，不过在提权的时候卡住了一下子。我当时想的是，考试的机器，系统都比较新，估计也会定期更新，那些内核exploit估计不得行，所以我也没去试这里的的内核exploit，到处翻了下没翻到啥能用的，就干脆去枚举系统进程， 然后把那些我没看过或者觉得可疑的进程放到谷歌上搜，加上关键字exploit，很快，我搜到的第一个exp就能用，直接给我弹了个root shell回来。(/ □ \)
nmap -T4 -p- -A -v ip 过程中就一直给我segment fault，从来没碰见过的事情，我就干脆把那台机器放在边上，去做另外一台20分的机器了。