My OSCP Journey!
Who am I?
Just your average guy that got interested in security during a COVID lockdown. I took OSCP exam (without any prior experience on anything security) on Dec 2nd & passed it on first attempt with 100 points.
Why and how it all started?
My journey to security started during the covid restriction/lockdown. Around this time, I came across a lot of bug bounty posts, videos, and news on security breaches which got me interested in cyber security. Later, I joined the Digital overdose (Great infosec community) discord channel where I met awesome people and learned a lot more about security. One of the mods from the channel suggested me to go for OSCP. After some research (and pestering my parents to fork out the fund) began my preparation.
The preparation
I only had some basic knowledge of networking, tools, vulnerabilities, and Linux. Used THM (profile at the end of this section) to learn the very basic stuff before tackling the boot2root boxes. After getting comfortable with Linux and some security concepts, I began looking into some of the vulnhub boxes. Besides THM, I used the following resources:
Linux
- OverTheWire: Bandit
- Home | Linux Journey
- Command Challenge! (cmdchallenge.com)
- explainshell.com — match command-line arguments to their help text
Web
- All learning materials | Web Security Academy (portswigger.net)
- Welcome [Root Me : Hacking and Information Security learning platform] (root-me.org)
- OverTheWire: Natas
Study plan!
Created a study plan with a friend and decided to tackle certain number of boxes per week. List of Vulnhub boxes we did.
- Kioptrix series (1,2,3,4 & 2014)
- Pwnlab
- Development
- Mercyv2
- Symfonos series (1–4)
- Misdirection
- Sar
Then some retired(easy) machines on HTB as well as Proving ground from @Tj_Null’s list.
My profiles:
PWK Lab
Took one month of lab which started on Sep 12. It came with 800-page PDF and 12+ hour of video. The content was too dry for me to go through, so I skipped the videos and only referred to PDF when needed. Didn’t have much trouble with lab machines, as I had practiced a lot (HTB and Vulnhub) and developed a methodology that worked for me. Cracked about 50–55 machines. Almost all machine from public subnet and 5 from IT. Didn’t pivot into other networks as my experience with lab was very bad. It had a ton of technical problems.
Post lab/final prep
Scheduled my Exam for Dec 2. Did about 20+ machines from HTB retired as well as active ones (Rated Easy & Medium). Most of my time then was spent on doing boxes from Offsec proving grounds practice. It's one of the best resources out there to prepare for OSCP IMO. Did about 55 machines from the proving grounds before my D-day.
Proving Grounds machine, that I cracked:
Roquefort | Slort | XposedApi | algernon | apex |authby |banzai |billyboss| bratarina |ClamAV |Clyde |Compromised |Dibble |Exfiltrated |Fail |hawat |helpdesk |Hetemit |Hunit |interface |internal |jacko |kevin |meathead |medjed |metallus |muddy |nibbles |nickel |payday |pebbles |pelican |peppo |postfish |quackerjack |snookums |sorcerer |surf |sybaris |twiggy |ut99 |vault |walla| webcal |wombo |zenphoto |zino
Exam day
Exam was scheduled to start on 6:45 am. Connected to proctoring software and went through some procedures. Started my scan on around 7:15. My plan: BOF → 25 → 20 → 20 → 10.
Finished BOF within first 45 minutes. Attempted 25 pointer, got side-tracked because of rabbit hole for some time. At 12 pm got root on 25 pointers. Even though I had secured 50 points in first 6 hours it took me another 6 hours just to get the passing point. At 12 hours mark I had 80 points (one 20 pointer remaining, I knew the attack vector but couldn’t exploit it). Instead of tackling the last machine, I started preparing my report as I didn’t want to miss crucial screenshot resulting in incomplete report. For report, I used whoisflynn’s report template. By the time I finished writing report I only had 2 hours left before my VPN expired. So, I went for the remaining 20 pointers and got root (it was the easiest machine of the bunch, turns out I was just complicating it). Updated my report, proof read it 4, 5 times before submitting the report. Got my result after 3 days on 5th dec and was officially OSCP certified.
My badge:
Offensive Security Certified Professional (OSCP) was issued by Offensive Security to Aashish Tamang.
PS: And yes, I didn’t sleep. I was awake for 30 hours by the time I submitted my report and went to sleep. I do not recommend doing this at all. Exhaustion will result in tunnel vision, and you might miss obvious exploits or vulnerability. Which I did experience on one of the 20 pointers. So definitely take a lot of breaks and don’t be afraid to start over.
Additional Resources and Tips
- List to practice from:
NetSecFocus Trophy Room — Google Drive
- Best Guides:
The Journey to Try Harder: TJnull’s Preparation Guide for PEN-200 PWK/OSCP 2.0 | NetSec Focus
Introduction · Total OSCP Guide (gitbooks.io)
- Came across unknown service and Don’t know how to enumerate?
- OSCP GOLDMINE
OSCP Goldmine (not clickbait) | 0xc0ffee☕
- Privilege Escalation
Linux Privilege Escalation Tutorial: Become an Ethical Hacker | Udemy
Basic Linux Privilege Escalation — g0tmi1k
Windows Privilege Escalation for OSCP & Beyond! | Udemy
FuzzySecurity | Windows Privilege Escalation Fundamentals
- BOF
Writeups and walkthroughs:
OSCP CHANGE
OSCP Exam Change | Offensive Security (offensive-security.com)
According to Offsec:
The new exam structure will become available for students beginning on January 11, 2022. All scheduled exams for January 11th onward are subject to the new structure.
OSCP exam format is set to change which will include 40 points AD and 3 20 points machines. BOF is now low privilege vector worth 10 point instead.
Resource for AD.
Practical Ethical Hacking — The Complete Course | TCM Security, Inc. (tcm-sec.com)
TryHackMe — Throwback — Attacking Windows Active Directory || Part One — YouTube
Machines to practice AD
HTB: Forest | Resolute | cascade | traversex | monterverd | Sauna | Sizzle | multimaster
PGP: Heist | Hutch | Vault
Whats next?
This is just a beginning. A small step towards cyber security. Keep in touch to know what I am up to, or you want some help for your own OSCP preparation.
