Hello all, another week of the OSCP has gone by, so hence comes another blog post. If you haven’t seen my previous posts, you can check them out here. I’ll again follow the very unorganized style of my last two posts. Feel free to follow me on twitter to catch any future posts as well.
Who are you and What Prior Experience do you have?
My name is Derek and I’m a random college kid studying Computer Science. In terms of prior experience, I hold some of the “HR-friendly” certifications: Security+, SSCP, GSEC and CCENT. I have also taken the eCPPT certification, which I would HIGHLY recommend if you can afford it. Additionally, I am semi-active on HackTheBox (not so much the last few months due to school), with around 40 boxes owned. I also post video walkthroughs of HackTheBox and Vulnhub boxes here, more for my own retention than anything else. Overall, I’d say I have relatively solid background experience for the OSCP, but not nearly enough to confidently jump right into the exam or anything; not even close.
What progress has been made since the last post?
This last week has been far from my best – overusing the forums, script kidding the priv esc process, using metasploit; I’m definitely not proud of the work I’ve done this past week, particularly the overuse of metasploit. I think I used metasploit twice in my first 24 boxes. This week, I used it multiple times. Nonetheless, my total owned count is now up to 35, meaning 11 lab boxes were completed this week. Two of those boxes were part of the “big four” (pain and sufferrance), and another two were client-side exploits (which were pretty damn satisfying). All I really have left to do are the other two toughies (ghost and humble), some internal boxes, and the remaining public boxes that have some sort of dependency. I have a decent foothold into two of the three internal networks, know the vector for exploiting humble, and hopefully the rest will come naturally.
What have you struggled with?
There hasn’t been any one particular thing I’ve noticeably struggled with this week; just a few odds and ends. I’ve started running into protocols and services I’m not super familiar with; most notably ldap. I’ve done ldap related stuff before, but for some reason the general structure and concepts never stuck with me. I, like so many others, would benefit SO much from some sort of “Attacking Active Directory” course. AD is one of the most fundamental services used within real environments, yet it continues to be the weak point for such an abundance of people, including myself. I’ve also ran into some SQL alternatives, which ALWAYS trips me up. My mind is so tuned to working with SQL that any sort of alternative absolutely destroys me. I should be able to shore up these weaknesses (at least enough for the labs) with a bit of dedicated research, so I’m not TOO concerned with it.
What have you excelled at?
My buffer overflow times are currently at ~25 minutes, which is a really good sign for the exam. The OSCP buffer overflow is very easy, especially compared to what actual buffer overflows look like in modern exploits. Once you get the procedure down, it’s actually a very mechanical, thoughtless process. Again, this is only the case because the buffer overflows introduced in the OSCP are meant to be very simple; this isn’t me saying “buffer overflows are easy.” This is me saying that, as far as I can tell, the OSCP buffer overflow will be very easy. If all goes well, I should be able to get my 25 buffer overflow points within the first hour of my exam, which is comforting.
As a quick side note, I would also like to say that, despite these buffer overflows being pretty easy compared to the real world, doing them has really sparked an interest in me for exploit development. I have always had an interest in the operational side of pen-testing and the operational side alone; exploit development, bug hunting and things like that always seemed too tedious (and difficult) for me. However, I’ve really enjoyed writing exploits from scratch while practicing buffer overflows. I certainly plan on dabbling in exploit development much more than I would have wanted to a month ago.
When’s the Exam?
My first exam is officially scheduled for July 14th, which is about a week away. Originally, I was going to do the exam the day after my lab time ended (August 2nd), but I decided strategically that didn’t make much sense. It’s better, in my opinion, to schedule your first exam attempt sometime DURING your lab time; that way, when you fail, you can purchase a retake for whatever it is ($100-$300, something pretty cheap), and use your remaining lab time to focus on what you struggled with.
Let me be perfectly clear when I say that I will not be passing on my first attempt. I know that, I’ve come to terms with that, and I’m okay with that. I’m using the first exam attempt more as a litmus test to see where my weaknesses are early on so I can be as effective as possible on my second attempt sometime in August. On the surface, it may seem like I have a strong chance of passing since I’ve done 35+ boxes, but a lot of those boxes were done ineffectively or downright illegitimately. My box count is not indicative of how competent I actually am. Here’s a few reasons why:
- I depended far too heavily on kernel exploits, which I heard are much less common on the exam.
- My methodology is all over the place; no consistency, no efficiency. In a short 24 hour time span, this will come to bite me.
- ~7-8 of the boxes were exploited using metasploit in some manner, which I don’t treat as actually completed. This means I’ve really only done 27 boxes. Additionally, ~3-4 of the boxes I escalated using Dirty Cow, which in my head does not count either. So really, I’m down to about 24 boxes truly completed.
- ~5-6 of the boxes I used the Offsec Forums for help. For most of these I was already on the right path, but getting that confirmation still delegitimizes the box in my mind.
So, in actuality, there have only been 18 or so boxes where I can say that I, Derek Kleinhen, hacked that computer. The other 17 have been I, Derek Kleinhen, pointed other people’s gun at that computer and let them shoot for me.
I don’t mean this to sound cynical or demeaning to people who use metasploit/forums/etc. There’s no reason NOT to use those tools if they are at one’s disposal, and I don’t look down on people who do. However, in a training environment where I am supposed to be determining how competent I am at understanding how to break into a computer, using such resources very much blurs the line. I don’t feel like I completed a box if I used someone else’s enumeration script; I don’t feel like I completed a box if I pulled someone else’s exploit code and ran it blindly. It is, of course, ridiculous to assume you can ever survive in this industry without ever using other people’s tools and exploits. I understand that, and I agree with that. And, if I were in an actual pentest engagement, I would have no problem firing metasploit’s MS08-067 module at will. The context, however, is quite important; the OSCP is supposed to prove to myself that I understand the fundamentals of hacking. Can I really tell myself I understand what’s going on when I spam other people’s tools, or get help from others who have already completed the boxes? That’s not me proving my own concrete understanding, that’s me wielding the understanding of others. I know this view is illogical and misguided, but it’s just one of the many self-destructive mindsets I can’t seem to shake.
What’s your gameplan going forward?
Because my first attempt is coming up, I’m probably going to take a step back from hitting the lab machines and focus more on consolidating my tools, nailing down an actual methodology, and getting my environment ready. I know there exists tools like AutoRecon that is said to really help the process, but I wouldn’t feel fulfilled using something like that. I do, however, plan on writing my own script that will make things, particular initial nmap scans, as automated as possible. I’m also going to get every script, tool, commonly used exploit code, and pre-compiled binary all into one place. I probably have 50+ copies of the same nc.exe binary sitting on my box atm; there’s simply no reason for that.
Besides that, all that’s left to do is wait for July 14th, get some experience on what I need to improve on during my throwaway exam, then do the rest of the labs with those weaknesses in mind. After that, I think I’ll be good to go to pass the exam sometime in August.
That’s all for now. Sorry for the probably-controversial philosophical speech; I hate thinking it just as much as you hated reading it. My next blog post will probably be after my first attempt, which should be a packed post that touches on where my weaknesses were and the pitfalls I’ll inevitable fall into. Thanks for reading!
Discord Channel: https://discord.gg/CCZCJCu