updated on 20200502: restriction on screen recording during the proctored exam, click here for more details.
20200502更新：监考中录屏的限制，点击这里查看详情。

### Background

I was looking for internship for the summer holidays, but unfortunately I could not secure one, so I decided to get an OSCP certification instead. I chose the one-month lab and scheduled it on the last month of my summer holiday, partly because I am confident with my prior knowledge in pentest mainly because I am poor, and one-month lab costs 1100+ SGD already. (It is quite sad that I didn’t find an internship to earn money, but found another way to spend money.)

### Preparation

I solved 54 out of 55 machines on lab in about half of the month, I don’t have much to say wrt lab practice, but the way how machines are linking to each other is really interesting.(thumb up for offsec). So make sure to do the post-exploitation information gathering on every machines you rooted, because you might never know which piece of information is going to be useful to root another machine.

The reason I am rushing so much on lab is because I somehow managed to find an internship with dsta for the second half of the month, so I was doing internship for that two weeks, and I didn’t have time to do lab anymore. Anyway, doing lab is just a way to get you familiar with pentest and acquire the basic skills. But the most importantly, you should form your own structured way of pentest, which I believed to be the end goal of lab practicing.

I did the buffer overflow practice in https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/, which I felt to be useful, as practice makes perfect. 熟能生巧

### Examination

I took the OSCP exam on 23rd August 2019 and got an email telling me that I have acquired the OSCP certification on 28th August 2019. They are quite efficient. =)

Due to the exam policy, I cannot talk about the exam machines, so I will just briefly describe the situation and give some useful tips(I wish) during my exam.

I took the exam at noon 12, I choose this timing so that I could have enough rest before the exam.

The exam started on time, and I headed to do the buffer overflow questions, meanwhile I used the nmap to scan the rest of the targets. nmap -T4 -p- -A -v -iL target.txt The buffer overflow was not hard, and I have a standard procedure to do it, I thought it won’t take more than half an hour, based on the past experience I have done with the practice, but I got the reverse shell from the target after two hours. =( because of some careless and stupid mistake I made during the exam, I kept crashing the program but not getting the calc.exe to pop. To make the things worse, my kali vm machine accidentally died half way and it was quite frustrating, especially I lost all the nmap scan result and I have to scan it all over again.

After I solved the bof, I went to touch another machine worth 25 points, and it didn’t take long for me to get an low-priv shell, I stucked on the priv-esc for some time. My guessing is that the exam probably won’t test you to use any kernel exploits to get root/system shell(should not be that easy, correct me if I am wrong), so I didn’t bother to test any kernel exploits online, and I just enumerate the process and put every process that I am not familiar with into google to search for relevant exploits, and I got the correct exploit in one shot, and boom, I got the system root back.

with 50 points in hand, 3 hours has passed, I went on to do the machine worth 20 points. I was thinking that I have three more machines to go, 20 * 2 and 10 * 1, I could pass the exam with one more 20-point machine rooted. But nmap kept giving me segment fault when scanning that machine over and over again with nmap -T4 -p- -A -v ip, which is very weird, so I leave it there and tried another 20-point machine.

It didn’t take me long to get a low-priv shell either, but getting the root shell was failing, by that time, I had approximately 60 points in hand.

I went on to check the nmap scan result of 10-point machine, and implemented some further enumeration on specific services, then left it running at the background. I went back to the 20-point machine which kept failing my nmap. I did simple port scanner with netcat on some common services and ports, and managed to get a low-priv shell, priv-esc did’t take long, and by the time I got a root shell, it was around 4:40 pm. At that point of time, I had total of 25+25+10+20= 80 points, which is enough to pass the exam.

I went back to the 10-point machine, and enumeration has finished, I got the root shell in about 10 minutes(10-point machine right?) At around 5pm, I had 90 points in hand.

I was quite tired by that time, but my ocd was forcing me not to take a rest before I rooted the last machine, I tried all the exploits which seemed quite promising, but could not get a shell. I went to grab a cup of water, washed my face, and sat in front of the computer, decided to do the enumeration all over again. It turned out to be a facepalm moment when I took a step back and examine the machine as a whole part from a higher level. And yes, at around 6pm, I obtained a root shell. And I solved all the five machines.

I told my proctor that I would like to take a rest, and ate my dinner. At about 7:30 pm, I came back and solved the machine all over again, to make sure I have enough screenshots for the report.(I was running OBS studio to record my screen all the time though, I feel more secure to that way). I checked I have submitted the correct flag to the corresponding machine for the last time, and told my proctor that I would like to end the exam early and wished him a good day, at about 12am.

I crafted my 40-page report the next day.(I thought it was detailed enough, but my some of my friends who had OSCP told me that his report was 100+ pages. I was like, “wtf???? seriously?”) I followed the guide to sent the report to offsec, waited three days, and got the email telling me that I have pass the exam.

### Conclusion

Some notes I would like to share with you regarding the exam:

1. rest is important, make sure you had enough rest before the exam.
2. patience and carefulness is crucial. Otherwise you will be spending two hours on buffer overflow. =(
3. take your time, 24 hours should be enough for most of people(I think)
4. if you don’t have any clues during the exam, you can ask me enumerate more!!!
5. sometimes you would be able to see it clearer if you don’t dive too deep into it.
6. Try harder.

#### restriction on screen recording during the proctored exam

I just realized that offsec is not allowing screen recording during the proctored exam, and you can see the rationale behind that restriction here. But I was recording my screen during the proctored exam on 23rd August 2019 and passed the OSCP exam.

By referring to the archives on the Wayback Machine, I realized this restriction was enforced in 2020, as the archive on 14th Jan 2020 didn’t not have such restriction, but in the archive on 18th Feb 2020 had this restriction enforced. So actually I didn’t break the exam rules at that point of time.

2019年九月一日更新：

### 总结

1. 休息很重要，考之前要保证睡饱了。
2. 耐心和细心，不然跟我一样在bof上花两小时？
3. 慢慢来，别急，24个小时对于绝大多数人来说应该是够了的。
4. 如果考试的时候碰到不会的，来问我，继续怼！
5. 有时候钻的太深反而适得其反，跳出来可能看得更清楚。
6. 跟朋友一起准备考试的话，做lab碰到不懂的可以相互讨论一下？