My OSCP Journey and PWK Course Review

I signed up for the course with 60 Days of lab time on 27th Nov 2018 to start my labs from 9th Dec. During this period of  ~10 days, I also got VIP subscription of HackTheBox to pwn some retired machines, solved a dozen of boot2root machines from vulnhub, read many privesc writeups and HTB walkthroughs, watched almost every video of ippsec and prepared myself for the labs.

Lab Days and the journey of learning
I got the study materials (PDF + videos + lab connection) early in the morning and I was really excited about it so I just read about the network structure of the lab, watched some intro videos, and directly jumped into the lab. I was expecting the lab environment to be something like HTB with difficulty level, OS info, etc. but nothing was there. Only a list of IP addresses. At this point, I had to go back to pdf, watch more videos, read others' reviews to get some knowledge of how to get an initial foothold on the first subnet. I spent like 4 days more to go through study materials before jumping into the labs again. Then I made a new plan to approach the targets and began to pwn the boxes one by one. The principle is simple, do enough enumeration, if you don't find any entry point note it down and skip it, it may be dependent on another one. Following the same approach, I got root on ~25 machines and unlocked Dev and IT dept network. Then things started getting complicated, no entry points were found for machines of either of the network. I had to go back to all of those machines AGAIN and do more post enumeration and exploitation to grab the goodies I missed. At this same time, one of my relatives passed away and I was away from the computer for a while. When I got back, I only had like 10 days left and hastily tried to pwn everything I could. Now comes the burnout part. Trying to get access to as many machines as I could, doing post enum and studying remaining content all at once got me burnt out very quickly and I was in that state where neither I could find any useful info to pwn remaining machines nor I could learn new things (Buffer overflow to be particular). So, even though I had some days remaining, I took a break from the lab and the lab connection ended on 5th Feb.

When I recovered from this burnout thing, I finished going through all the contents (pdf+videos) except Buffer Overflow.. again.. and got a lab extension of 15 days on March 1st. Those 15 days were very productive, I pushed my limits, gave my best and pwned total of 37 machines including the bad bois Pain, Sufferance, Gh0st, Fc4 but couldn't get humble and any machine from the admin network but still, I learned a ton about client-side exploitation, windows enumeration, pivoting, etc. so, that lab extension proved to be really productive and I learned many new things which I have never faced before. Earlier, I had scheduled the exam date for 20th March but since I have not even touched the Buffer Overflow section, I rescheduled the exam for 31st Apr so that I could take some break, refresh myself, go through the buffer overflows, do some revision and be prepared for the exam.

On 27th March, I went to Singapore for BountyCon (Invite-only Event hosted by Google and Facebook) :P I met so many highly skilled hackers who shared their knowledge with the community at BountyCon which also motivated me to get the OSCP certification.

When I got back from Singapore, I was very motivated and full of energy so I invested that in learning Buffer Overflow. Even though I didn't have any knowledge of Reverse Engineering, BO, and Exploit Dev before I learned everything I needed to pop a shell within 1 week. In the remaining days, I further practiced BO and solved like ~40 machines from HackTheBox which increased my confidence level for the exam. 

I had already done some final hour preparations, made the report template ready, and organized the exam folders and tools respectively so on the day before the exam, I didn't even touch my laptop. I was on a mindset that whatever happens, I'm going to let it happen. I'm not going to stress anymore. Even if I fail the exam, I'll be happy that I tried and gave my best. It's not the end of the world and I can still crack it in the second attempt. 

I'm a night owl. My body, brain, and everything starts to function properly after the evening so I set the exam to start from 3:45 PM. I installed the proctoring software and tried to test the connection with the proctors at ~3:40 PM but because of some reasons, the proctors were not able to see me through my webcam. I lost almost 45mins trying to troubleshoot the issue but nothing worked so I installed a third-party camera app and since proctors were able to see my desktop, they could now see me. Finally, I received my connection pack for the exam too.

My strategy for the exam was -> Make a list of machines first -> Run Reconnoitre tool in the background -> Solve Buffer Overflow machine while the reconnoitre tool is running -> Read the output and solve remaining machines consecutively ..but this strategy flopped, unfortunately :( First thing, The connection with proctors didn't turn out to be as smooth as I thought it would be so I was already panicked. Second thing, I've never used Reconnoitre tool before; I only installed that tool before 3 days of the exam because I had read in every OSCP journey blog that people use Reconnoitre tool and follow the same strategy. However, it didn't work for me.

I went back to my own strategy of solving boxes; doing manual scans one by one and exploiting stuff as I obstacle. I started with 10 points box first but again I found nothing :( I skipped that and tried buffer overflow but again no luck and I had no success. At this point, I was kind of lost; what to do, how to do, where to start, etc. so I took a short break. I went for a short ride, grabbed some cans of Red Bull, and now my mind was very fresh. I pretended that I am seeing those IP addresses for the first time and nothing has happened before.

I first tried the same 10 point machine, the thing I needed to get shell was right there. I felt so stupid after getting root and also got the motivation to solve BoF. I did everything it was needed to get a shell with BoF but my exploit was just not working so I took a dinner break. When I came back and went back to every step I did, I figured out why my exploit was not working. Did some trials and errors, wrote the exploit again, and BOOM! BoF box was solved. I then moved to another 25 pointer, it was a very straightforward 30pts HackTheBox-like windows box :P It was full of enumeration followed by a series of exploitation. When I got the user shell, it was already 12 AM. I also already knew how to achieve a root shell and was only one step away so I decided to go to sleep and continue it another day. I woke up at 7 AM, had light breakfast and I was back to the game. I continued from where I left and even though I had a very clear vision on how to achieve that shiny NT AUTHORITY\SYSTEM shell, it took me 1.5 hrs to get everything together. By 8:30 AM, I had 10+25+25=60pts. So, I went for the next 20pts box. Regular scan and enumeration already gave enough hints to get the shell and I had also seen the same "thing" on one of the HackTheBox machines previously but the manual method didn't work. So, I used Metasploit for this part and my netcat listener caught the reverse shell (no meterpreter). After I got the shell, privesc was very easy. I've seen that same thing more than 10 times in labs, vulnhub machines, and hackthebox. 80 F*CKIN POINTS!! That's enough points to pass the exam but I wanted to solve 5/5 machines so I went after the last 20 pts one. This machine was brainfuck. I did every possible thing I could do; scanned all ports, checked them ports one by one, searched for exploits that might work, usual web recon, dir brute-forcing. I literally did everything I could do till 2 PM. Then, I gave up. Idk what I was missing but I missed one critical thing which is still a mystery ¯\_(ツ)_/¯

I had been taking notes, grabbing local.txt and proof.txt, and necessary screenshots after solving each machine and again I verified them. I made sure I had enough notes and screenshots to prepare a report before the connection ended. Everything was ready to prepare the report and the connection also ended sharply at 3:45 PM. I took a deep breath of relief, went out, got some fresh air, and slowly started to write the report explaining how I gained access to the 4 machines. I finished the report the next day at 1 PM, followed the procedure to submit the report, and crossed my fingers. The report was submitted on 1st May and I got the reply from OffSec saying I passed the exam on 3rd May, one of the happiest day of my life ᕦ( ˘ᴗ˘ )ᕤ

PWK Course Review
PWK was one of the first online paid course I've ever done and it turned out to be a great learning experience. I really enjoyed the PDF guide, videos, and mostly the labs. The labs taught me so many things that I would never really learn on my own. The lab scenario exactly matches real-life pentest scenario. Enumerating machines, escalating privileges, writing/modifying exploits, pivoting to other subnets everything was fun.

 Before doing the PWK course, windows machines used to be my worst nightmares. I had no idea where shall I start to pwn a windows box and even SMB ports used to scare me. My next nightmare was pivoting. Just by hearing the word "Pivoting", I had a mindset that it is "Next level advanced haxor" type of thing, I would never be able to learn that but after getting into the labs, the curiosity to pwn and learn new things increased more and more and eventually I learned to pivot and learned so many techniques for which I'm really thankful to OffSec <3

PWK is a great entry-level course. If you made it to this part of the blog post, then I don't even need to explain about the popularity of this course ;) Doing PWK course won't make you an Elite haxor but you will definitely learn some life lessons, discover your areas of interest and most importantly.. the mindset to TRY HARDER every day :)

Tips for people pursuing OSCP
  • First things first, Read, Read, Read. Read as much OSCP blogs, vulnhub, and HackTheBox walkthroughs you find on the internet. 
  • Practice, Practice, Practice. Solve as many vulnhub and hackthebox machines as you can. I can't recommend HTB VIP and ippsec videos enough. There has been so many "Ah, I've seen this before. I know what to do next" moments in the lab and even in the exam.
  • Don't jump between the learning materials and the labs. Please go through the PDF and videos then only come to the labs. It will save you time.
  • One machine at a time! When you are in the lab, please focus on only one machine at a time. Do your normal scans, enumerate everything you can. No success? Then skip it maybe it is dependent on some other ones. Come back to it later. Just don't try to pwn everything at once.
  • THE MOST IMPORTANT TIP - Don't be afraid to push your limits and try new things. You come across a very weird thing which you know can be exploited but you are afraid that it may not work? Put your fear of failure aside and just do it. It may work and you will learn many things while putting the pieces together.
  • Another important tip is to regularly take snapshots of Kali/Windows VMs. It will save your ass in case VMs crash and don't start.
  • Take regular breaks and don't try to learn/pwn everything in a day. That's not possible. You will get burnt out very quickly and you might not be able to focus.
  • Don't ignore the buffer overflow part. It may be hard in the beginning but it's really simple after enough practice and gives you easy 25 points in the exam. 
  • Record screen while solving 25 points machines in the exam. Time is very limited in the exam so it's not possible to go back from scratch again just to take screenshots. So, while solving 25 pts machine and buffer overflow, record your screen in 720P and later take screenshots from the capture for the report.
  • Don't change your workflow/methodology in the final hour. You will surely mess things up so be yourself and follow your own strategy.
  • Take proper rest before exam day. Proper rest will let your brain be calm and enables you to think critically.
Though my lab days and the learning curve was very messy and I was just doing everything haphazardly, it was still a great learning experience and in these months (Nov 2018 - Apr 2019), I learned so many new things which I would've never learned by myself so yeah it's a win either way. Lastly, I am very thankful to the twitter/hackthebox infosec community and every other individual who share valuable knowledge and quality research. Huge shout to everyone, this would not have been possible without you all <3

I wanted to keep this blog short but.. ¯\_(ツ)_/¯. If you made it till the end and still reading, all I can say is thank you for reading this long blog post. Also, thanks to my dear brother Smaran for proof reading the post. Maybe check out my SoundCloud too?

Until next time... PWN ALL THE THINGZ!


Popular posts from this blog

Adventures Into The MeowCorp Bug Bounty Program

DC-2 Walkthrough

Expanding the attack surface with Shodan's lesser known filter