My OSCP journey began when I began cybersecurity, 9 months ago. Back then I didn’t know how to change directories or read files in Linux, let alone what Kali Linux was. I didn’t even consider cybersecurity as a potential career path and was unaware of the existence of offensive security as a career. However, a Zoom meeting from my club, SWIFT, changed all my views in one small sitting back in June of 2021. This post will be divided into a categorization of the months between my start in cybersecurity and now, so just scroll to the section of my prepartion that seems most interesting.
Some of my thoughts
My overall journey to the OSCP was an incredibly informative one, although this is a bit biased since I started off knowing absolutely nothing. I do believe the labs and material hold potential value, but I did not utilize them very much, if at all. I found the learning from Hack The Box and Proving Grounds to be sufficient, along with the methodology I developed from doing them. The bare minimum skills I reccomend before attempting this certification are:
- Familiarity with the CLI of Windows and Linux
- Understanding of what ports are on a computer
- Persistence, resilience, and passion
Once you’ve done some practice and feel ready to take the exam, the key skills I reccomend are:
- Enumeration of services and potential linkage between them
- Flexibility with your methodology
This isn’t an exhaustive list, just the stuff that I believed that helped me the most. Also, screenshot everything, from your nmap scan, to file transfers, and even running simple payloads.
The Journey
The First Month
I got started, not even knowing what the OSCP was, by doing Bandit OverTheWire and TryHackMe. At the time I was in a bootcamp for the Collegiate Penetration Testing Competition (CPTC) hosted by the SWIFT club and headed by my colleague, Alex. The homework assigned by Alex was sourced from these sites.
OverTheWire is a very useful resource for learning the basics of the Linux command line and some tools that you’ll eventually use as apart of an offensive skillset. There are around 30 or so stages and I completed them in about 10 days. I initially got through the first few ones easily, but they progressively became very difficult and each level after the tenth took me between 30 minutes and 2 hours to solve. By the end I was somewhat familiar with certain commands and the concept of positional arguments and flags.
TryHackMe is a cybsercurity education resource that offers “rooms”, which are like multi step labs. TryHackMe provides a lot of support when it comes to solving its rooms, making it very beginner friendly. I did the following rooms: Linux PrivEsc, Windows PrivEsc, Ice, Vulnversity, OWASP Top 10, and Metasploit. Knowing the Linux command line after doing OverTheWire helped significantly, and these rooms helped esetablishing a baseline for an offensive methodology and techniques.
As I was doing all of this, I stayed late after one bootcamp meeting and saw Alex and Robinson, another colleague, working on something called “Hack The Box”. I solved a box, Bounty Hunter, with them and immedietly got hooked. At the beginning of August, I completed my first box, Cap.
The Middle Months
After my first box, I was addicted to Hack The Box. While it took me a long time to solve each box (approximately 10 hours each), by my first 10 I was slowly getting used to it and developed a rough methodology. My colleagues Brice and Justin helped me out a lot with that. In the end of September I purchased by first Hack The Box VIP subscription. I compromised about 28 machines within that first subscription which helped me reinforce my methodology while learning a few new techniques and technologies.
The regional round of CPTC came so I had to take a break, but this gave me a great opportunity to practice my report writing. Once that was over, it was another subscription and I got 38 boxes this time, with a grand total of 86 boxes starting from August. This was more refining methodogy, as many of the boxes weren’t too dificult. However, I did Active, Forest, Resolute, and Blackfield, which are all Active Directory (AD) boxes and helped me gain a solid idea on the basics of AD pentesting.
The Ending Months
I decided to attempt the Dante Pro Labs from Hack The Box, a network of around 13 machines. It wasn’t too difficult and took a few days to complete, and I mainly learned how to pivot with it. From this point until my first attempt in February I did Proving Grounds Practice boxes every day, approximately 3, and one day I did 10 of them. Before my first attempt I completed about the entirety of TJ Null list, excluding some of the challenge boxes that were included. I also did the Buffer Overflow room on TryHackMe, which provided significant aid in understanding the process. I scheduled my first exam attempt for the middle of February, and it was an absolute failure. With 0 points I was completely shocked and I took a break for the following month. For that month I mainly focused on learning how to use iptables and docker; things quite irrelevant to the exam.
The Exam
A Rough Start
After a stressful CCDC competition with a lackluster ending, I jumped right into my second attempt. The first three hours were a bit rough; I got a foothold on AD within a few minutes, but the rest of the boxes seemed tough. My scans were dry, and the services even dryer. The initial shell I had seemed hopeless, with only one suspicious thing on the host, but I couldn’t figure out how to leverage it. Flashbacks of my first attempt were strong here.
A Breakthrough
After taking a 15 minute break, I decided to do what I could and quickly gained the proof flag on the only easy looking box. Riding off this momentum, I found the solution to the box I was stuck on after some intense inspection and connecting the results of my enumeration. This box came with an extremely simple privesc, granting me another 20 points and furthered my excitement. I took another 15 minute break, feeling very divisive. On one hand I had a lot of momentum and potential to pass; I just needed the AD domain. On the other hand, if I couldn’t get AD, then everything I got so far would be for nothing.
Pressing the Advantage
After my break I ran back into AD and discovered an privilege escalation vector for the entrypoint. Luckily, the rest of the domain fell just as quickly; 20 minutes after taking down the first AD machine, I got DA and a total of 80 points. With only a total of 7 hours gone by, I took an hour break to celebrate my 80 points. After 5 hours of screenshotting and beginning my report, I accidently got a low privilege session on the last box, leaving me with a grand total of 90 points. I went to sleep about 2 hours later, although I only managed about 5 hours of sleep.
Wrapping it Up
I woke up, continued my data collection and quadruple checked my report, as well as discovered another privilege escalation vector for a box I already finished. I made sure to include this in my report, just in case. I ended my exam early after collecting all my evidence which I checked multiple times over (although I forgot one nmap scan). I wrote the rest of my report in a few hours, and checked it constantly for the next 7 hours. After I submitted, I waited for about a day, and saw this beautiful email.
What’s Next?
Now that I have my certification, I have some confidence in my methodology and basics. I wanna get more technically skilled and practice more AD and evasion, so I’m heading for the CRTO next. Although that OSEP looks very nice, I still think its quite beyond my reach. Maybe when I get my CRTO. These past 9 months have been wild, and I’m excited to move forward.