OSCP WriteUp by Martijn Kamminga
History on my CyberSecurity journey:
On September 1st, 2019, I started my CyberSecurity training journey. In December of the same year, I was proud to earn my Certified WhiteHat Associate (CWA) through the Hackers-Arise program.
From September 2020, I worked as a CyberSecurity Analyst, while also dedicating time to lab environment (1 month) reports and hands-on experience. My passion for this field was further solidified through several attempts at the OSCP exam, including my first attempt in December of 2020, second attempt in February of 2021, and subsequent attempts in June and October of 2022.
In April of 2021, I started working as an Ethical Hacker and was honored to receive my eWPT certificate in August of the same year. Additionally, I completed 90 days of lab time between February and April of 2022 to further enhance my skills.
Most recently, on January 24th, 2023, I took my fifth attempt at the OSCP exam, continuing my commitment to professional growth in the field of CyberSecurity.
The Exam and advises in between:
My journey to becoming an OSCP certified professional was a roller coaster of emotions and challenges. I had failed the exam four times before I finally found my stride. I realized that I was studying too hard, which was causing me to feel anxious and frustrated before the exam. So, I took a step back and did what felt right for me.
For me, that meant no stressing of weeks before the exam, no food before the exam and plenty of sugar drinks and candy. Instead of working without breaks, I took frequent breaks of 15-45 minutes, especially at the beginning of the exam when I was feeling the most nervous. I started the exam at 10:00 and the initial scans at 10:15. I soon realized that I didn't have a buffer overflow machine in my exam. In case you need a good resource for BoF I recommend the following resource:
Be sure when you have your hands on your training material for BoF you try to master this without the cheatsheet!
If you succeed within the hour, it's easy peasy on your exam.
Enumeration is key and you should always look for the low-hanging fruit first. Once you find something interesting, take a break to reset your mind and continue with a fresh perspective.
The thing I've created to help me along several exams is the following repository I created myself:
Also consider these courses from a starters perspective:
- https://academy.tcm-sec.com/p/linux-101
- https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course
It's important to have a solid understanding of privilege escalation techniques, as they can sometimes be challenging. However, with time, the machines have become more advanced, so it's important to keep your techniques up-to-date.
Privilege Escalation Resources:
- https://tryhackme.com/room/windows10privesc
- https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners
To understand this material I've used the following resources for a Test VM of Windows 10 1709.
Suplemental thise course can provide additional insights:
I was able to enumerate my way into the first machine and used a well-known technique from my lab notes to pwn it at 11:49. The second and third machines were approached using a technique from a Github creator at blackhillsinfosecurity, and I successfully pwned both remaining AD machines at 13:42 and 13:56 respectively.
According to the exam guide, there should be a minimum of three proofs of ownership, which was the case for me. I verified this with my Administrator access using the PowerShell query:
Get-Childitem -Path C:\ -Recurse | Where-Object {$_.Name -match 'local.txt|proof.txt'}Unfortunately, my autorecon process failed and I lost some important data, but I had taken precautionary screenshots and saved this and the output in my OneNote, so I was able to use that information in my report. As a note for autorecon, make sure you have enough RAM to perform intense tasks. 16GB RAM would be recommended.
I took a good break arround 16:30 ate dinner and took a long walk to clear my mind.
I continued on to the Linux and standalone Windows machines and, in each case, I relied on my tried-and-true approach of enumeration to find open ports and the information needed to gain access. In one instance, I was unable to escalate privileges, but I still managed to pwn the user at 18:23.
To understand this material I've used the following resources for a Test VM of an old Linux machine.
Additionally the following site can provide a handy reverse shell:
The Windows machine was more challenging and required multiple attempts and adjustments to the exploit command line options before I finally gained user access at 00:18. I was relieved to have 60 points and another 10 points for my lab report, which included one AD Set and six unique machines. I wanted to push for another 10 points, but I called it quits at around 06:30 in the morning, feeling content with what I had accomplished.
Lessons learned:
1. Consistent effort and dedication towards professional development leads to progress.
2. Hands-on experience and laboratory work are crucial for improving skills.
3. Taking exams and earning certifications can validate one's knowledge and skills.
4. It is important to have a growth mindset and to continue learning and seeking new challenges.
5. Persistence is key, as demonstrated by multiple attempts at the OSCP exam.
Lessons learned on what not to do:
1. Don't neglect hands-on experience and laboratory work.
2. Don't give up after the first attempt at a challenging exam.
3. Don't rely solely on certifications and exams to validate one's skills.
4. Don't ignore the importance of continuous learning and seeking new challenges.
5. Don't get discouraged by failures and setbacks, use them as opportunities to grow and improve.
