~ read.
My OSCP Certification Journey June 2017

My OSCP Certification Journey June 2017

I'm here to share my experience / review in successfully passing the well known hands on certification "Offensive Security Certified Professional " (OSCP). Please tweet me @vikzsharma if you want me to add or remove anything from the post,this is my first ever blog post!

{---- Listening - "Hack all the things - Dual core" ----}


So the journey started after reading a lot of reviews on the course ,Playing various Capture Flags , Reading Walkthroughs of VulnHub Machines & finally was motivated to sign up after my ex colleague successfully passed the PWK exam @y0geshd - He is currently chilling / hacking sitting on his MacBook Pro on the other side of the world ;) . Thanks for the motivation Yogesh!

Suggested Skills to Grab before applying for OSCP

~ You already have the basic understanding of enumerating any system for vulnerabities doesn't matter if its web application or any vulnerable network service. - Advanced Penetration Testing for Highly-Secured Environments

~ You are familiar with daily used & useful linux commands

~ You know what are reverse shells

~ You know What / why do we need to spawn TTY shells ,

~ You know what is Local File Inclusion

~ You know what is Remote File Inclusion

~ You are quite familiar with doing manual exploitation doesn't matter if its SQL Injection , LFI , RFI , Directory Traversal etc. **Avoid Metasploit / Nessus / Automated stuff ** as much as possible. ( Honestly i did use "Nikto" ~_~ )

{---- Listening -"SophSec - Nice Report"----}

~ You will have to think like a stupid / outdated admin during the journey of exploiting the Lab Machines. ( *Remember the lab is designed with real world vulnerable scenarios & is * not * a CTF lab).

~ You know What are Client Side Attacks like XSS etc.(Wait ! What ! XSS ? Yeah you gonna enjoy Client Side Exploits too in your OSCP Labs. You gonna spawn shells by redirecting users ;) .

~ You are pretty well in understanding exploits by reading it. (Forget blind compile & exploit shits - ).

~ You are familiar with Enumerating & Attacking Network Services like
SAMBA / SMB / Windows Domain Enumeration

~ Forget the normal top 1000 ports scan & do the "-p-" port scan or else you gonna bang your head sometimes.

~ You are a nmap champ you know well how to use scripts & you always keep the **defaults ** - http-enum , smb-shares , ftp-anon , http-webdav-scan , mysql-info , http-shellshock etc in your backpack while enumerating any system - NMAP Cheatsheet

~ You know how file transfers are done on both the platforms Linux & Windows

~ You know what are restricted shells & how to break out of Restricted Shells

~ You are familiar with various types of privilege escalation techniques -
Windows Privilege Escalation
Linux Privilege Escalation

~ You know how to write a Basic Vanilla / Stack based Buffer Overflow exploit from scratch.Trust me this was the only thing which scared me at first for the course.But,Thanks to PWK Course content after watching the Video / PDF content multiple times following the steps & taking the notes of every steps in notepad made me understand perfectly, at first it took me more than 2 hours to exploit in lab .I did the same thing multiple times with notes / without notes. Was done with BOF exploit in one & half hour during Exam.

~ Most important thing you have a lots of patience & craze with stubborn attitude for hacking into machines.

~ You would need some redbulls, coffees , beers , smokes ( Your Choice ) during the Lab Journey / Exam. ;)

Suggested Vulnerable VulnHub VM's :

Breaking / Experimenting with the Vulnhub Machines is what suggested by all people before OSCP, I would suggest going through some of the machines listed below :

Online Penetration Testing Platform Lab - https://www.hackthebox.eu/en

People say it's similar to OSCP Lab machines you can surely give a try on this before applying for OSCP ( This was something in my to do list after OSCP )

Some Tools / Scripts to Make your life easy :

Privilege Escalation Scripts - This would help you in enumerating the system in Post Exploitation to gain root access.

Sparta - Network Infrastructure Penetration Testing Tool
- Best tool for Autopilot NMAP Scan,Default Credentials Check for specific services running on the port , Nikto , Taking snapshots of the services running etc.

I would suggest referring one of my favorite blog for best categorized Penetration Testing cheat sheets & enumeration methodology - http://highon.coffee/


I ordered the course for 2 months which includes the course material PDF/Videos & mainly the 2 months lab access ,lets categorize this into two parts :

Course Material

You get the PDF Book & Video tutorials of PWK ( Pen testing with Kali Linux Course ). The course material has one of the best ever content i have seen until now which includes step by step information on every topics with proper examples.In fact,Even a guy with basic understanding of networking & Linux would get into core network pentesting using the course material ( Obviously he / she should give best on researching the things given in the course ).

The video course is truely awesome & worth every penny,its gonna walk you through everything which is in the pdf notes,You will understand the buffer over flow easily if you follow the exact steps in video.

Lab Network Access

This is the actual place you learn , improve , sharpen your pentesting skills , The lab will take you with a network which has number of vulnerable machines with real world scenarios , You would be exploiting machines vulnerable to network services , web applications , smb shares misconfigurations , default credentials to basic brute forcing with rock you.txt to samdump2 - > john hash cracking ;) to pivoting into restricted networks.Every machine in the lab network will teach you something different make you realize "Why the heck didn't i think this from last 2-4-6-10 hours?".

There are about 50 or more / less machines in the whole network which includes various departments , I did get until the second last department which was ADMIN Department ) managing work with the offsec training is real pain ( Sleepless nights , Drunk face at Work ;) )

Exam {---- Listening - "
T.I. - Go Get It"

I booked my exam on the weekend 24th June 2017 & my lab time did expire on 22 June.I went out for a trip with my bestie at Sinhagad for some refreshment and quality peaceful time day before my exam :

Exam Day - Timeline :

2 hours - 1th Machine down - root \m/

3 hours - 2nd Machine down - root \m/

6 hours - 3rd Machine down - root \m/

2 hours - 4th Machine down - root \m/

*Redbulls * * Chocolates *

~ Parents ,Friends, Colleagues Calling :

3 hours - 5th Machine down - non root (: , Sadly i tried the whole night & next day but no luck on this one for root :|.Remember taking snapshots of every main steps from the Enumeration stage to Post Exploitation stage.

Slept for some 5 -6 hours went out to chill out ,came back,Created the report according to the required format & naming conventions . (* 7zip checked , extract check , extract check , extract check * ) Finally sent the report to offsec team. Received acknowledgement email within some hours.

And then this ...... after a day early morning...

Finally , I got an email with the good news that i have passed the exam successfully.I would like to Thanks supportive parents & motivating friends during the offsec journey ,Also @Offensive Security for such a great course which is actually focused towards the real hands on experience.

Thank you ! I hope you enjoyed the content & would be useful for anyone who is actually planning for doing the OSCP certification.