Welcome to my pentest blog. Be sure to use soap.

After three months of lab time I passed and earned my OSCP. On the first try.

This is my obligatory blog that I had to start according to tradition that will detail my journey to achieving that sweet sweet entry-level cert. How’d I do? Eighty points.

I popped, popped, and returned that cert’s initials to behind my name.

What’s next? I don’t know, but I plan on beginning to shower again every day.

My story

I started my lab time in January 2019. However, before my lab time began I spent three to four weeks practicing buffer overflows on Windows XP and 7. Once the lab time began I split my time between doing the course material exercises during the week and attacking the labs on the weekends. Eventually I decided my time would be better spent sticking to the labs, but the exercises are important and several times I used things directly from the book in the labs. A few days before my exam I achieved my 30th root, which I was hoping to do sooner since 30 is the number most people recommend to do before the exam.

My background

A deep desire to penetrate things. Some mischief, some mayhem. A little hackthebox.eu and lot of vulnhub.

The Things You Own End Up Owning You

Exam started at 2pm, I was able to start at 3pm after having webcam problems.
BOF – 25 points – nailed it around 6pm
25 point box – nailed it around 2am
20 point box – nailed it around 8 am
10 point box – nailed it around 10 am
20 point box – haven’t got a clue

Exam strategy

Just a week before the exam I changed my approach and methodology. Instead of just going home with the first pretty exploitable service I could find I would actually take a high level look at everything running, look up exploits, and then decide on the best thing to try first. Apparently, this is a good idea. I didn’t get stuck in a rabbit hole for hours.

The buffer overflow took entirely too long for me. While I had a lot of experience doing BOF since I spent about a month practicing I was just running into strange problems with bad characters. Eventually I did identify a lot of bad characters and was ready to finish my exploit, but I had so many bad characters I couldn’t generate a valid shellcode! So I started over on the bad character array and changed my approach. Then everything went quickly. Be sure to have two to three techniques or processes to identify bad characters.

Next I moved onto the 25 point box. I picked the 25 point box next because I have seen way too many people get stuck in the 55 to 65 point jail. Nothing was extremely hard about the 25 point box, but it certainly was time consuming. When I wrote my report, the 25 point box was half of my page count. But at this point it was about 02:00 and I had 50 points. Feeling pretty good I decided to sleep for five hours. Instead I woke up at 05:00 after three hours of sleep, ate some air fried french fries, and got back to it around 05:30.

The 20 point boxes certainly seemed more difficult. By that I mean harder to exploit, but far less steps than the 25 point box. The 20 point box that I rooted luckily played to my strengths. The other 20 point box, I couldn’t even figure out how to get a shell.

When I ran “whoami && hostname && ipconfig && proof.txt” and saw that I had an admin shell, it felt like someone stopped strangling my heart! Boom, 70 points, enough to pass. I took a short break. Came back and quickly banged out the 10 point box for more points in case my report was less than adequate.

It was now 10 am. I had four hours left. Instead of trying to get 100 points I decided to redo the first three boxes, get more screenshots, take better notes. What better way to make sure you can write up a full walk-through than doing the box from start to finish? I’m glad I did because my notes for the 25 point box sucked! It was a struggle to follow them and root the box a second time and I already “kinda” knew what I was doing. I was recording my screen this whole time, but it was much better having extra time to be able to run through it, write down notes, put my commands in a single document.

Pokemon hunting and the report

I finished up my time touching up my documentation and then took about a two hour break to eat lunch and go Pokemon hunting (go Team Blue!).

Then I started on my report. I spent about six hours, watched two hours of TV, slept for five hours, and put about six more hours into the report the next day. It was shorter than most reports that I’ve heard about on the interwebs, but I prefer concise communication. Screenshots were cropped to only what’s important. Only about two lines of scanner output. But I had a high-level summary and thorough step-by-step instructions and “code” formatted boxes for my commands.

The Long Wait for Results

I submitted my report at about 8pm Tel Aviv on Sunday night. I received my results about noon (Tel Aviv time) on Thursday. I couldn’t have been happier.