OSCP and Penetration Testing

12 minute read

RedTeamImage

Introduction

This post helps tie in a number of sources or pieces of information which are useful when conducting penetration testing engagements or when going for a certification such as Offensive Security Certified Professional (OSCP).

Disclaimer

This is not designed as a manual on how to scope or perform penetration tests. If you need to perform a penetration test it’s important to understand the scope of your engagement and the environment you’re working in to prevent going out of scope or causing harm.

Note: A number of links here are hosted external to this website which may pose an increased risk if the owners of these websites let their domain lapse or change what’s on them.

Offensive Security Certified Professional (OSCP) Preparation

Why should I listen to you?

It’s up to you whether you do or don’t. I receive no commission from this and merely wish to share my experience based on requests received from others.

During my time undertaking the latest 2020 PWK + OSCP certification I managed:

  • To fully compromise approximately 80% of the Lab Environment.
  • To fully compromise Pain, Sufference, Gh0st, and Humble.
  • To unlock all networks in the Lab Environment.
  • To compromise 90% of the Exam Environment.
  • To write a 60-page report in the 24hrs proceeding the 24hr exam.
  • To successfully be granted my OSCP Certification on my first attempt.

Despite this there were a number of mistakes made which others can learn from.

Background

In February 2020 Offensive Security released an update to their Penetration Testing with Kali Linux (PWK) Course and their associated Offensive Security Certified Professional (OSCP) Certification. This update includes new lab machines, new course content, and like the previous version requires a proctored 24hr exam to take place to earn your certification in addition to a report being completed on how this was done in the 24hrs proceeding the exam.

For those who aren’t aware PWK is the foundational course offered by Offensive Security, and OSCP is their associated certification which can only be obtained by completing the PWK Course and a 24hr exam.

Starting Out - Questions and Lab Time

Starting out you’ll likely have a lot of questions on the process, what to expect, how to get started etc. To make this process easier links are provided below for the official PWK/OSCP FAQ.

Now that you’ve had a read about OSCP and had some of your questions answered, if you’re now deciding to take PWK and/or the OSCP exam you’ll want to gauge your current workload and decide how long you want in the lab environment. At the time of writing PWK grants 30 days of lab access + an exam attempt at the base price of $999 USD.

One thing to keep in mind is that any time you spend reading the course material or outside of the lab environment is time that you don’t have in the labs popping shells.

Why Should I Care?

You get access to the lab environment the same time you get access to the course material. Let’s say hypothetically in and out of life it takes you just over 2 weeks of reading the course material and completing the exercises because you want to submit an exercise writeup (this gets you bonus marks towards your exam).

  • Quick maths: 30-15=15

You only have half the amount of time left to spend in the lab environment, and depending on what machines you’re hitting, your knowledge, and the time you spend in there, you will likely get very little out of this when compared to the weath of knowledge you could gain in the labs.

My Approach

I was fortunate to personally have 90 days of lab time. Depending on your schedule I’d say you can get a lot out of 60 days lab time. With 30 days you will likely need some pre-existing knowledge or devote a lot of time in the labs, and even then there’ll likely be a lot in the lab you never get to see or learn from.

MISTAKE #1: I was focussing too much on the course material.

Wanting to get bonus marks for the exam I worked through the course material meticulously documenting it for a while before stopping. I found some of the questions were tedious and basic (great for those coming at this with no experience, but not so good for someone with experience and who wanted a challenge).

As such I wound up not wanting to put time into the coursework and ended up wasting time not doing anything when I should have been using this time in the lab. Weigh up if the coursework and bonus marks are worth it for you, and learn from my mistake.

Starting Out - VM and Notekeeping

Getting a working VM setup will take some time to ensure there’s no technical issues. It’s worth starting with the recommended VM setup from Offensive Security for use with VMware, but you can just as easily use another provider such as Virtualbox.

Currently this can be found in the FAQ. 2 links are shared below:

For notekeeping a number of tools are available. From conversations with others the software listed below are some of the most commonly used throughout PWK/OSCP:

Why Should I Care?

Notekeeping becomes incredibly important in recreating exploits, storing essential findings, keeping screenshots, common commands you ran to reach an outcome and more. Without sufficient notekeeping you’re only setting yourself up to fail.

My Approach

I used the provided kali virtual machine and VMware Workstation Player.

I started with CherryTree and quickly moved to Joplin for my notekeeping. If you have no idea how to layout your notes for later retrieval or what information is of relevance, you can always start with a template from someone who has been in your shoes and tailor it as you see fit. 2 templates have been provided below, I personally used both at some stage.

MISTAKE #2: I was trying too hard to fit these templates.

Wanting to ensure I had information neat and tidy I was trying too hard to fit these templates. For someone who can get head down into trying to pop a machine, every time I stopped to try and gather information to fit this template I would wind up stalling for prolonged periods of time or stepping away to do something else.

This issue was resolved when I created essentially a “scratchpad” for notes, commands + output, items of interest, and screenshots when working on a machine. This process will differ for each person, but find what works for you and stick with it.

Working through the Lab Environment and Coursework

Once you get in the lab environment you may not know where to start, how to structure working directories for machines and gather loot, or even what IP to start with.

There’s a variety of ways to approach this, some ideas to get you started are below:

  • Ping sweeps to find hosts online.
  • Viewing IPs available in your user panel (where resets are performed).
  • Pick low hanging fruit which look like they may be easy to exploit, some have dependencies.
  • Follow the NEW PWK Labs Learning Path

Overall when working through the coursework you’ll want to make sure you put in enough time on Buffer Overflows to understand them and perform them.

When working through the labs you’ll want to make sure you have a methodology for enumerating a host and progressing through your findings to gain a shell all the way through to post-exploitation recon and privilege escalation.

Some useful tools for automating enumeration and performing Buffer Overflows can be found below. It should be noted that understanding how these tools work, how to achieve their results manually and what problems they solve should be as much of an aim as knowing how to use them. Remember that OSCP aims to teach you how to identify and exploit vulnerabilities, not to automate vulnerability scanning and exploitation.

Automatic Enumeration Tools

Buffer Overflows

Having cheat sheets can be invaluable. Fortunately some people have already put in a lot of great work in creating these when it comes to OSCP and penetration testing as a whole. A starting point for different cheat sheets that may be of value can be found below:

Privilege Escalation

Reverse Shells

SQL Injection

Pentesting-All-In-One

MSFVenom

Why Should I Care?

You want to succeed right? You want to learn right? This may just get you over the line.

My Approach

When undertaking PWK/OSCP Offensive Security never had a learning path, but something that’s been around for a long time now is TJ_Null’s list of Vulnhub/OSCP-like VMs. A curated list of these in addition to a youtube series created by IppSec who walks through how you can compromise these systems is below.

I personally worked through understanding a subset of these systems and learning techniques that could be used prior to getting into the PWK Lab.

MISTAKE #3: When working through the lab environment I would suspend my VM when it wasn’t in use.

Although this in itself isn’t an issue, a problem became present where upon resuming my VM the network manager service would often crash causing ‘no network connection’. This issue was resolved by creating a bash script with the below and just running it whenever it occurred.

#! /bin/bash
systemctl restart NetworkManager.service

Through the labs I spent time making sure I had every step of a standard Buffer Overflow ready and templated up, I cannot stress this enough, if you can come up with a repeatable process to performing these you’ll be in a good position.

For system enumeration I wound up using nmapAutomator a lot. With this I could run scans while I left to go to the shops or perform other tasks which with how life is can often be helpful. I also added some alias’ for common commands I’d run for enumeration so I didn’t need to remember all the parameters for something I would be performing a lot of times against different hosts.

MISTAKE #4: I trusted without verifying

During enumeration you are presented with a number of pieces of information, ports, banners, scan results etc.

One thing to remember is that the key to success is properly enumerating and understanding what you’re looking at. This includes challenging any preconceived assumptions you may have on what service must be running on a particular port, or what a particular banner must mean. As the old saying goes, trust but verify.

Overall I attempted to spend as much time as I could in the lab and stay away from the forums if at all possible. During my last couple of weeks in the lab the forums were used more frequently to get the most out of time left in the lab.

Exam Day

Once you schedule your exam date you can change it a certain number of times but you should try to set a date and time that works for you. Once the big day has arrived you’ll want to ensure you understand the exam requirements and how it will be facilitated. As always 2 links relating to this are below.

Keep in mind that it may take you a long time to complete the exam, even if you’ve excelled in the labs. This is because enumeration and exploitation is an exploratory process and if you miss one piece of information or thread to pull on, then you can miss the whole way of exploiting a particular system.

Keep calm, take regular breaks (e.g. you get a shell? Take a break! You’re stumped for ideas? Take a break!), go for a walk at lunch (or dinner? Depends what time you’re sitting the exam) to clear your mind as you’ll likely hit a point where you get stumped for ideas.

Why Should I Care?

Succeeding in your first attempt will save you money on having to take the exam again. This will also ensure you understand how the exam will flow to put your mind at ease. By going for a walk you allow your mind to wander and take in everything you’ve seen without looking at the same screen and trying to take in more new information all the while keeping yourself healthy.

My Approach

Personally it took me 7-8hrs to get the points required to pass, and everything after that was just a bonus.

MISTAKE #5: I lost an hour getting proctoring setup and approval to start

You want to have proctoring run as smoothly as possible, so try a dry run of your exam or proctoring to ensure there’s no technical difficulties. Your proctor may take far longer than 15minutes to verify your identity and system (mine did), this is an uncontrollable circumstance, so stay calm and try to get through it. Remember that the proctor cannot help you with any technical difficulties.

To remain consistent with exam conditions I won’t be going into the exam itself or how I went about it, but what I will say is that you’ll likely run out of ideas before you run out of time. Some points that may help:

  • Take screenshots regularly of items that will go in your report, an easy way of doing this is using PrntSc and using ‘select active window’.
  • Take notes properly, this is going to help in your report. Heck if you think you’re good for time start putting your notes into your exam report.
  • Have snacks and food sorted. You don’t necessarily want to spend too long looking for food or preparing food if you don’t need to. Having this up your sleeve may save you an hour to be used elsewhere.
  • Reward your successes and have fun.

Remember that this is designed to be passable within 24hrs including breaks, and the exam reflects this. If you fail, it’s not the end of the world and you will hopefully have learned where your weaknesses are. If you succeed, then congrats you’re now OSCP certified.

Further useful exam preparation guides and blogs have been outlined below for further reading as they may help you succeed! Best of luck!

Exam Preparation Guides and Blogs

Penetration Testing

Placeholder - Section may or may not be expanded on in the future to encompass cheatsheets for Penetration Testing.