updated on 20200502: restriction on screen recording during the proctored exam, click here for more details.
20200502更新:监考中录屏的限制,点击这里查看详情。

Background

I was looking for internship for the summer holidays, but unfortunately I could not secure one, so I decided to get an OSCP certification instead. I chose the one-month lab and scheduled it on the last month of my summer holiday, partly because I am confident with my prior knowledge in pentest mainly because I am poor, and one-month lab costs 1100+ SGD already. (It is quite sad that I didn’t find an internship to earn money, but found another way to spend money.)

Preparation

I solved 54 out of 55 machines on lab in about half of the month, I don’t have much to say wrt lab practice, but the way how machines are linking to each other is really interesting.(thumb up for offsec). So make sure to do the post-exploitation information gathering on every machines you rooted, because you might never know which piece of information is going to be useful to root another machine.

The reason I am rushing so much on lab is because I somehow managed to find an internship with dsta for the second half of the month, so I was doing internship for that two weeks, and I didn’t have time to do lab anymore. Anyway, doing lab is just a way to get you familiar with pentest and acquire the basic skills. But the most importantly, you should form your own structured way of pentest, which I believed to be the end goal of lab practicing.

I did the buffer overflow practice in https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/, which I felt to be useful, as practice makes perfect. 熟能生巧

Examination

I took the OSCP exam on 23rd August 2019 and got an email telling me that I have acquired the OSCP certification on 28th August 2019. They are quite efficient. =)

1567328697610

Due to the exam policy, I cannot talk about the exam machines, so I will just briefly describe the situation and give some useful tips(I wish) during my exam.

I took the exam at noon 12, I choose this timing so that I could have enough rest before the exam.

The exam started on time, and I headed to do the buffer overflow questions, meanwhile I used the nmap to scan the rest of the targets. nmap -T4 -p- -A -v -iL target.txt The buffer overflow was not hard, and I have a standard procedure to do it, I thought it won’t take more than half an hour, based on the past experience I have done with the practice, but I got the reverse shell from the target after two hours. =( because of some careless and stupid mistake I made during the exam, I kept crashing the program but not getting the calc.exe to pop. To make the things worse, my kali vm machine accidentally died half way and it was quite frustrating, especially I lost all the nmap scan result and I have to scan it all over again.

After I solved the bof, I went to touch another machine worth 25 points, and it didn’t take long for me to get an low-priv shell, I stucked on the priv-esc for some time. My guessing is that the exam probably won’t test you to use any kernel exploits to get root/system shell(should not be that easy, correct me if I am wrong), so I didn’t bother to test any kernel exploits online, and I just enumerate the process and put every process that I am not familiar with into google to search for relevant exploits, and I got the correct exploit in one shot, and boom, I got the system root back.

with 50 points in hand, 3 hours has passed, I went on to do the machine worth 20 points. I was thinking that I have three more machines to go, 20 * 2 and 10 * 1, I could pass the exam with one more 20-point machine rooted. But nmap kept giving me segment fault when scanning that machine over and over again with nmap -T4 -p- -A -v ip, which is very weird, so I leave it there and tried another 20-point machine.

It didn’t take me long to get a low-priv shell either, but getting the root shell was failing, by that time, I had approximately 60 points in hand.

I went on to check the nmap scan result of 10-point machine, and implemented some further enumeration on specific services, then left it running at the background. I went back to the 20-point machine which kept failing my nmap. I did simple port scanner with netcat on some common services and ports, and managed to get a low-priv shell, priv-esc did’t take long, and by the time I got a root shell, it was around 4:40 pm. At that point of time, I had total of 25+25+10+20= 80 points, which is enough to pass the exam.

I went back to the 10-point machine, and enumeration has finished, I got the root shell in about 10 minutes(10-point machine right?) At around 5pm, I had 90 points in hand.

I was quite tired by that time, but my ocd was forcing me not to take a rest before I rooted the last machine, I tried all the exploits which seemed quite promising, but could not get a shell. I went to grab a cup of water, washed my face, and sat in front of the computer, decided to do the enumeration all over again. It turned out to be a facepalm moment when I took a step back and examine the machine as a whole part from a higher level. And yes, at around 6pm, I obtained a root shell. And I solved all the five machines.

I told my proctor that I would like to take a rest, and ate my dinner. At about 7:30 pm, I came back and solved the machine all over again, to make sure I have enough screenshots for the report.(I was running OBS studio to record my screen all the time though, I feel more secure to that way). I checked I have submitted the correct flag to the corresponding machine for the last time, and told my proctor that I would like to end the exam early and wished him a good day, at about 12am.

I crafted my 40-page report the next day.(I thought it was detailed enough, but my some of my friends who had OSCP told me that his report was 100+ pages. I was like, “wtf???? seriously?”) I followed the guide to sent the report to offsec, waited three days, and got the email telling me that I have pass the exam.

Conclusion

Some notes I would like to share with you regarding the exam:

  1. rest is important, make sure you had enough rest before the exam.
  2. patience and carefulness is crucial. Otherwise you will be spending two hours on buffer overflow. =(
  3. take your time, 24 hours should be enough for most of people(I think)
  4. if you don’t have any clues during the exam, you can ask me enumerate more!!!
  5. sometimes you would be able to see it clearer if you don’t dive too deep into it.
  6. Try harder.

restriction on screen recording during the proctored exam

I just realized that offsec is not allowing screen recording during the proctored exam, and you can see the rationale behind that restriction here. But I was recording my screen during the proctored exam on 23rd August 2019 and passed the OSCP exam.

By referring to the archives on the Wayback Machine, I realized this restriction was enforced in 2020, as the archive on 14th Jan 2020 didn’t not have such restriction, but in the archive on 18th Feb 2020 had this restriction enforced. So actually I didn’t break the exam rules at that point of time.

时间太晚了,中文版的先鸽着吧

2019年九月一日更新:

背景

本来是想在暑假找一份实习的,然而事不遂愿(《too bad》响起:事与愿违天天不断上演,无能为力的瞬间),所以就想着考个证吧,然后通过同学认识了另外一个NTU的朋友也准备考,就约着一起报名了,不过他报了两个月的lab,我只报了一个月的。lab开始时间是在七月七号,结束时间是在八月七号,想着开学之后可能也没那么多时间去练习了,就没报那么久的(说白了就是穷,贫穷让我上进)。没找到实习还算了,败家子又败了一千多新币去考一个跟一般人说起来都没听过的证。(/ □ \)

准备

lab七月七号准备开始,然而那时候我还在澳门浪,等我回新加坡的时候已经十一号了,然后就开始昼夜不分的打lab了,大概花了半个月的时间吧,把lab里的55台机器中的54台机器搞定了(剩下一台臣妾真的做不到啊,看forum里别人都是在暗示17-010,然而我就是不行,就开了445,3389,难道要我去偷一个bluekeep的exp来?)在七月27号的时候,我把admin-network打完,七月29号我就去dsta实习上班了(就是这么神奇,被我找了个半个月的实习^O^ ),所以我前面才那么赶着做lab。

1567334212163

这里顺带提一下那五分是怎么回事。在oscp官方exam guide里提到的bonus point:

1567330371863

可以看到需要lab report和教程后面练习题的报告,lab report需要包含不少于十台机器的pentest report,这倒不是问题,但是还有offsec给我们的pdf的课程后面的练习题,那个就比较麻烦了,而且还费时,权衡一下我就决定不要那五分的bonus point了。

不管如何,做lab练习只是让你对渗透有一个基本的认识和基础的操作知识,更重要的是你得自己总结出来一套方法,那个才是lab的最终目标。

另外,做bof练习的话我参考了https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/ 里的程序,感觉挺有用的,毕竟熟能生巧,最后练习到一个bof能够在30分钟内搞定,我就雄赳赳气昂昂的上考场了。

考试

我是八月23号考的试,然后24号把考试报告发给offsec官方,28号就收到offsec的邮件告诉我可通过了考试并且获得了oscp证书,十分效率。

1567328697610

因为考试政策原因,我不能分享任何跟考试机器有关的内容,所以我就简单描述一下我考试的情景,希望能对你们有用。

我是中午12点开始的考试,因为我经常晚睡,所以早上十点起来是很正常的,中午12点考试的话可以保证我有充足的睡眠,同时能够在考试前把早餐中餐一起吃了。

考试是准时开始的,在考官验证了我的身份之后,我就直奔bof题目而去,同时我也在用nmap对剩下的四台机器做基本的扫描nmap -T4 -p- -A -v -iL target.txt bof题目本身不难,按照以往的经验,我应该能够三十分钟之内就搞定的。然而我在两个小时之后才拿到目标机器的反弹shell。在我骂自己瞎了自己的狗眼1024遍之后,我才在调试机上弹出了个计算器。更惨的是,在我做bof的中途,我虚拟机突然卡死了,然后我只能重启重来,包括nmap的扫描结果都没有保存下来,不得不重新开始扫描,心态那时候就有点崩了。

等我做完bof,我再去搞另外一台25分的机器,搞到一个低权限的shell没花多久时间,不过在提权的时候卡住了一下子。我当时想的是,考试的机器,系统都比较新,估计也会定期更新,那些内核exploit估计不得行,所以我也没去试这里的的内核exploit,到处翻了下没翻到啥能用的,就干脆去枚举系统进程, 然后把那些我没看过或者觉得可疑的进程放到谷歌上搜,加上关键字exploit,很快,我搜到的第一个exp就能用,直接给我弹了个root shell回来。(/ □ \)

五十分到手,三个小时已经过去了,我去做另外一台20分的机器。我想的是我还有三台机器要搞,两台20分的和一台10分的,我只要再搞一台20分的就可以考过了。很奇怪的是nmap扫描 nmap -T4 -p- -A -v ip 过程中就一直给我segment fault,从来没碰见过的事情,我就干脆把那台机器放在边上,去做另外一台20分的机器了。

另外那台20分的机器,我很快就得到了个低权限的shell,提权的话感觉很简单,但是我找的exp却一直失败,我那时候有一种蜜汁自信,就感觉那个exp是对的,分析了下exp代码,自己改了下还不得行,就只好放一边了。那时候手上有60分了。

还有一台10分的机器,我看了下nmap的扫描出来的服务,对一些感觉可能有问题的服务做深入的扫描,把程序放后台screen里,又返回去做那个一直把我nmap搞崩的机器,我用nc去简单判断了一下端口开放情况,然后开放端口再一个一个nc上去判断具体服务,很快我就搞到了个低权限的shell,提权很快,所以在四点四十左右的时候,这台机器就搞下来了。那时候手上一共有25*2+10+20=80分,已经过线了。

回过头去看下那台10分的机器,扫描完了,很明显的一个洞,10分钟搞到root shell(十分的机器就该十分钟搞定?),五点左右的时候,90分已经到手了。

连续在电脑前坐五个小时其实挺正常了,但是精神高度集中五个小时就很累了,但是强迫症不允许我在没搞定最后那台机器前休息。我扔了一大堆exp上去都不行,有点想骂人了,我跟主考官讲我去拿杯水,顺便洗了把脸,又坐回到电脑前。我决定把机器revert掉,从头开始搞。才发现我前面一直陷在一个点上想找出突破口,但是跳出那个点,才发现整个的点才是真正的突破口(有点绕口,毕竟我不能去描述具体情况)。所以在大概六点左右的样子,这最后一台机器也提下来了,考试的五台机器全部搞定。

我跟主考官讲了下我要去吃晚饭。吃完饭躺沙发上玩了下手机,七点半就又坐回电脑前,我把所有机器重新做了一遍,确认我提交了正确的flag给正确的机器,然后把关键步骤都截图了(虽然我全程都有开着OBS studio录屏,不过双重保险总是没错的)。十二点左右,我跟主考官说我要提前结束考试,然后就把vpn给断了。

1567334418850

第二天开始写报告,花了七八个小时才写好一篇将近40页的报告,我感觉写报告比渗透本身难多了。(我感觉已经很详细了,问起朋友他写了多少页的报告,他跟我说100多页,我:卧槽??!!)缝缝补补了些细节才把报告加到43页,实在不想继续纠结了,就按照指南把报告发给offsec去了。等了三天,收到一份邮件,告诉我已经通过了。脑子里的第一个想法是:老子这个暑假总算没有虚度了。

总结

总结几个知识点?

  1. 休息很重要,考之前要保证睡饱了。
  2. 耐心和细心,不然跟我一样在bof上花两小时?
  3. 慢慢来,别急,24个小时对于绝大多数人来说应该是够了的。
  4. 如果考试的时候碰到不会的,来问我,继续怼!
  5. 有时候钻的太深反而适得其反,跳出来可能看得更清楚。
  6. 跟朋友一起准备考试的话,做lab碰到不懂的可以相互讨论一下?

就写到这里吧,lay了。

监考中录屏的限制

我后来意识到offsec并不允许在监考中录屏,你可以到这里了解相关的原因。可是事实上,在我2019年8月23号考试的时候,我是有录屏的,但是最后还是通过了OSCP考试。

参考Wayback Machine中的网页存档,我意识到这个限制是2020年加上去的,因为2020年1月14号的存档还没有这样的限制,但是2020年2月18号的存档就已经有了这个限制。所以其实我是没有违背考试规则的。