Crack OSCP with 100 points in second attempt!

Hi everyone, I am happy to share that recently I passed my OSCP exam in my second attempt, 4 weeks after my first attempt. Look back my OSCP journey, I have a lot to share, I hope my experience will help you! The journey is over 3 months, and less than 4 months, I think it is relative fast, I don’t have any penetration testing experience. I am not going to show off, I just want to say, you can also do it, only with proper learning methodology, and avoid my mistakes.

My Background

Have been in studying cyber security for some years, but I don’t have any penetration testing experience. I start to take certification course from the beginning of this year, and my first certification is CEH. I thought I would become a hacker after getting CEH, but I was wrong. I passed CEH with a decent score, but I can clearly remember I could not disginguish curl and wget at that time, how could I become a hacker? Then I start to practice on TryHackMe, and passed CEH Practical exam, CompTIA security+, OSWP, and eJPT respectively. During the process, my skill is improved, but it is far away from OSCP’s level. I registered OSCP at the end of June, then I began my OSCP journey.

The timeline

Jan: Registered CEH course.

Apr: Passed CEH, registered CEH Practical and CompTIA Security+.

May: Passed CEH Master, CompTIA Security+.

June: Registered and passed OSWP and eJPT, registered OSCP.

Sep: My first attempt of OSCP Exam, 55 points.

Oct: My second attempt of OSCP Exam, 100 points. Registered CRTO (Certified Red Team Operator).

How I prepare for OSCP?

I did not finished any HTB or VulnHub machine before, and I was not confident in my skills, so I choose PWK 365. Because I hear that most people spend 6–12 months on OSCP, while I don’t have any penetration testing experience, I could need more time. But it turns out that I made a wrong decision, I only used PWK Lab for the first month, totally completed 19 machines, including the big 4 (Sufferance, gh0st, pain, Humble). Meanwhile, I also made a right decision, after completing 19 machines of PWK Lab, I turned to Proving Ground. I think, the decision is the most important factor of my journey. 19 PWK lab machines absolutely are not enough for me to form a decent methodology, I turned to Proving Ground and practice easy and intermediate (Community Rated Difficulty) machines. Then, I start to practice hard machines. After 1 month, I completed all community rated easy, intermediate, and hard machines. I only have community rated very hard machines left, I knew I would be in struggle, I slow down my pace. Before that, I completed 2 or 3 machines per day, when it came to very hard machine, I asked myself to only complete 1 machine per day or per 2 days. It was a humbling experience, I leant a lot fun vectors from these very hard machines, even many of them are beyong OSCP scope. 2 weeks before my first attempt, I cleared all PG machines (There was 78 PG machines at that time)

One week before my first attempt, I arranged an OSCP mock exam for myself, the link of the machine set is https://h4cklife.org/posts/a-pre-exam-for-future-oscp-students/. I started the mock exam from the time which was the same as my real exam, I did the BoF machine first, and use autorecon to scan other machines. Finally I finished all machines within about 6 hours. I accidently saw one 20 points machine’s walkthrough during searching, so I did not count this one. I would say, the set of machines are easier than actual exam, but it is a good way to prepare yourself.

In the last week before my first attempt, I reviewed my methodology notes, personal walkthroughs of all machines I had done, and watched IppSec’s video. The last day before exam, I practiced BoF twice and had a good sleep. My exam was scheduled at 2:00 PM. I sleep late and wake up late, so it is a nice time for me : P

In summary

HackTheBox: 3 machines

VulnHub: 5 machines (From Mock Exam)

Pwk Labs: 19 machines

Proving Ground: 78 machines

THM: 4 Learning Paths

My First Attempt

I must admit that I was tempted by vanity, when I took my first attempt, I only been in OSCP journey for over 2 months. I thought if I pass it, it will be great proof of my talent. Therefore, I was stessful, anxious, I talked to myself that I must pass, I cannot tolerate my failure.

I completed BoF within 30 minutes, then I turned to the 10 points machine. The 10 points machine was more tricky than I thought. I thought I could have a one-tap exploitation, but it had some rabbit holes. But overall, it was easy, I spent 50 minutes on it. Therefore, I got 35 points in 80 minutes. My confidence got a boost, but I would never thought that I lost my confidence in following hours. Then I started to enumerate the first 20 points machine. In folloiwng few hours, I made no progress. I became more and more anxious and streesful, I requested to take a rest for multiple times, I switched between the three machines…After 6 hours, I suddenly found that I missed an extreme low-hanging frust, I over-complicated it. Then I got a little confidence boost. The PE part is new to me, but I can easily find a lot articles about this on the Internet. I followed steps, but I could not get a shell. I became anxious again, I shouted to myself, why, why it did not work! After about 2 hours, I found that I made a little mistake, how careless I was. Then, I root it. Up to that time, I had 55 points. The victory was not far away from me!

But I would never know that it was the last confidence boost for me. I switched to the second 20 points machine, I could identify the vulnerability, and found all available exploits. I would say, it was the most silly part of my first attempt. I tried an exploit again and again, because I could give me an instant shell if the exploitation was successful. I did not even try other exploits. I searched modified version of the exploit, from exploit-db to github, from github to even other countries’ blog website. I was only thinking about getting an instant shell, rather than try other exploits to gather more information. I think I won’t be this usually, but I lost all my calmness.

As to the 25 points machine, I thought I find the entry, but I have no idea on how to exploit it.

That’s it, finally I got 55 points of my first attempt. Before moving to the second period of my journey, I want to spoil that I met the 20 points machine and the 25 points machine again, I am not lucky, right? : P

Between two attempts

What did I do after my first attempt? I installed the vulnereble application on my VM, and I calm down. I tried another exploit against the vulnerable application, and I exploited successfully! I realized that the exploit I used during my first attempt was a rabbit hole, it distracted me from the intended way! But I still had no idea of the 25 points machine.

Between the two attempts, I did not practice a lot, only few machines. I took 2 weeks for relax, kept myself away from OSCP. The third week, I began to practice machines again, the last week, I reviewed my notes and walkthroughts, and practice BoF.

The most important, I leart to relax and be calm. I realized that OSCP is not my whole life.

My Second Attempt

When I saw 3 familiar IP on my exam email, I got a mixed feeling. This time, I was no longer anxious and nervous. I finished BoF with 23 minutes, and completed the 10 points machine with about 40 minutes. It means, I got 35 points with 1 hour. This time, the 10 points machine has more enumeration, but I selected the intended exploit fortunately at first time, rather than try them one by one.

Then I immediately turned to the 20 points machine which make me so depressed. Since I exploited the vulnerable application on my VM successfully before, I got a foothold in less than 2 minutes. When it comes to Privilege Escalation, I got stuck for a while. But later, I found I became careless again, I made a little mistake. By correcting the mistake, I root the machine in about 30 minutes. I defeated my nightmare easily this time.

I felt so relaxed, because I made progress! Then, I turn to the second 20 points machine. I talked to myself that it was too early to relax, because on my first attempt, one of 20 points machine are quite easy, but this time, the remaining 20 points machine looks complex. It has more enumeration, but it is also easy to locate the entry, so I saved a lot of time. Its PE part is a little annoying, I can easily find a lot of articles about this PE vector, but there are many steps. Anyway, it is not difficult, and I root it finally.

At this time, I got enough points to pass, I became quite relaxed. I requested a long break (about 37 minutes), and then returned to solve the final one. Even though I did not solved it last time, but I had eliminated all rabbit holes, so I directly focus on the entry. I enumerated the content that I did not enumerated last time with the thought of giving it a try, and then I found a breakthrough. Why I missed it last time!!! The 25 points machine is not hard, but have multiple steps. Follow steps of the PoC, I got a foothold. The PE part, is very basic, but it does have multiple steps. I think the 25 points machine is not even as hard as the second 20 points machine.

In summary, my second attempt is little harder than my first attempt, and the two machines I did not get point are actually not hard. I over-complicated them.

TIPS

1: Proving Ground is your best practice resource. I would say, PWK Labs are not enough for you to pass the exam. I have made a list of OSCP-Like machines in Proving Ground, check it: https://github.com/ziyishen97/OSCP-Note/blob/main/Proving%20Ground%20Machines.xlsx

2: Make your own notes and walk throughs. I am willing to share my personal notes and walk throughs, but no one’s is better than yours!

PG Walk Throughs: https://github.com/ziyishen97/Proving-Ground

Methodology Notes: https://github.com/ziyishen97/OSCP-Note/blob/main/OSCP-Methodology.pdf

OSCP-Web-Methodology (Share some contents with Methodology Notes): https://github.com/ziyishen97/OSCP-Note/blob/main/OSCP-Web-Methodology.pdf

BoF detailed steps: https://github.com/ziyishen97/OSCP-Note/blob/main/BoF.pdf

3: Pay attention to details

How to download/upload files?

How to turn RCE to Shell?

Why the exploit does not work?

How to compile C code on different OS?

Different reverse shell payloads?

etc.

4: Keep a balance between OSCP and your life, take good rest!

I only sleep 4 hours during my first attempt, and I felt extreme exhausted after exam.

5: Keep a balance between tryharder and hints/walkthroughs

Actually I did not try harder, I usually turned to hints and walkthroughs, but I summized them extreme carefully and patiently, I spent hours per machine on writing my personal walkthrough and adding content to my notes. Anyway, you need to make sure that you have lessons from these machines.

6: Always from low-hanging fruit! Do not over-complicate things.

OSCP does not expect you to launch advanced exploit, just enumerate harder, from low-hanging fruit.

Difficulty

The most proper word to describe exam machine is not hard or easy, it is tricky. What does tricky mean? You can try Peppo in PG. Fortunately, most PG machines are very close to exam machines.

PG community rated difficulty as standard

My first attempt

10 points: between easy and intermediate

20 points: intermediate

20 points: between intermediate and hard

25 points (Not BoF): Hard

My second attempt (Harder than the first attempt)

10 points: between easy and intermediate

20 points: between intermediate and hard (Also in my first attempt)

20 points: Hard

25 points (Not BoF): Hard (Also in my first attempt)

Great resources

1: GTFOBins: https://gtfobins.github.io/ (Low-hanging PE vector)

2: Autorecon: https://github.com/Tib3rius/AutoRecon (Excellent scanner)

3: Linpeas: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS (PE vector enumerator)

4: Winpeas: https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS (PE vector enumerator)

5: Nishang: https://github.com/samratashok/nishang (Bypass AV)

6: THM BoF rooms: https://tryhackme.com/room/bufferoverflowprep (You only need practice this for BoF)

7: HackTricks: https://book.hacktricks.xyz/ (You can find most fresh services/ports, vectors, etc.)

8: Pspy: https://github.com/DominicBreuker/pspy (Detect hidden cronjob and process)

Summary

Actually I had the chance to pass my first attempt, when I look back it, it is simple, but unfortunately I did not catch the oppotunity. It does not matter, from the failure of my first attempt, I leant a lot. Both mental and technical. I hope my experience can help more people to aviod my mistakes. Always be clam and confident, you all can make it!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store