Hacking Hilarity Unleashed: How I Survived the OSCP 2023 Certification Exam and Lived to Tell the Tale!
Disclaimer: Please note that the thoughts and concepts presented in this article may be interpreted differently by individual readers, and that’s perfectly acceptable. It is important to clarify that this article does not aim to provide a universal OSCP master guide that suits every situation. Its purpose is not to compromise the integrity of the exam but rather to offer my personal perspective on the exam and share the resources that helped me prepare and succeed. I hope you find this article enjoyable and beneficial on your own OSCP journey!
Picture this: It was a bright and sunny day, and I found myself sitting in front of my computer, pondering life’s mysteries, like why “abbreviated” is such a long word. Suddenly, it struck me — I should document my journey to OSCP certification in a blog! But not just any blog — a funny, story-like adventure filled with mishaps, triumphs, and a touch of absurdity.
With a mischievous grin, I set out on a mission to entertain and guide OSCP aspirants through my own uproarious experience. I wanted to create a space where readers could learn the technical tricks of the trade while snickering at my comedic exploits. After all, who said hacking had to be 1337 all the time?
So fasten your seatbelts, don your virtual capes, and get ready for a wild ride through my hilarious and challenging journey to OSCP certification. But be warned: this blog is not for the faint-hearted. It’s for those who appreciate a good laugh, who embrace the absurdity of hacking, and who aren’t afraid to think outside the box while maneuvering through the technical landscape.
From Couch Potato to Cyber Dynamo: The Whimsical Decision to Pursue OSCP
It was a day like any other in my hacking journey — caffeine-fueled and filled with curiosity. As I perused the vast expanse of cybersecurity certifications, one name stood out among the rest — the OSCP (Offensive Security Certified Professional). With a resolute spirit and a touch of self-deprecating humor, I embarked on the arduous journey of OSCP exam preparation. I suited up to immerse myself in a world of virtual machines, vulnerable systems, and complex challenges.
Unveiling the Exam Structure & Point Conundrums
Independent Targets:
3 sneaky independent targets, each with their own set of challenges, worth a whopping 20 points each (10 for user access, and 10 for root access).
Active Directory Set:
Prepare to tackle the Active Directory circus, featuring 2 tricky clients and 1 mischievous Domain Controller. This daring adventure is worth a grand total of 40 points. Get ready to tame the wild world of AD!
Professional Report:
Show off your detective skills by creating a snazzy professional report that highlights every step of your epic hacking journey. Not only will it impress the examiners, but it’ll also earn you a cool 10 points. Who said hacking couldn’t be elegant?
Proctored Exam:
You’re under surveillance, my friend! Imagine being watched like a spy on a secret mission. But don’t worry, it’s all part of the excitement. Just make sure to keep your ninja moves stealthy and your hacking game strong.
Passing Score:
The magic number to unlock your OSCP certification is a minimum of 70 points. It’s like collecting coins in a video game, except this time, your hacking skills are the joystick. Aim high, stay focused, and let the laughter guide you to success!
Active Directory
As I prepared to embark on my quest to conquer the OSCP certification, I was fully aware of the fact that I hadn’t written the report for the practice labs, which meant missing out on those precious 10 bonus points. And there it was, the punchline waiting to be delivered — I knew Active Directory attacks were my path to scoring those extra points. So, armed with this humorous twist of fate, I decided to embrace the inevitable and dive headfirst into the realm of Active Directory exploits.
Active Directory Basics — Lay the Foundation
Before diving into the world of Active Directory attacks, it’s essential to grasp the fundamental concepts. I would strongly advise OSCP aspirants to focus on understanding the basics of Active Directory, including domain controllers, domains, organizational units (OUs), user accounts, groups, and group policies. Since I was familiar with the structure and hierarchy of Active Directory having worked upon numerous AD environments, getting a solid foundation to build upon was a cake walk.
Enumeration — Uncovering Hidden Treasures
The next step involved honing my enumeration skills. I learned to use tools like Nmap, enum4linux, and ldapsearch to gather valuable information about the target network. This process involved identifying domain controllers, enumerating user accounts, groups, and their memberships, mapping trust relationships between domains, and discovering information about Active Directory domain services (AD DS), such as LDAP endpoints and service principal names (SPNs).
Expanding the Attack Arsenal: Kerberos Attacks — Cracking the Encryption
With a solid understanding of Active Directory structure and enumeration techniques, I delved into the world of Kerberos attacks. I learned about multiple attacks such as DLL Hijacking, Weak Service Permissions, Weak Registry Permissions, Unquoted Service Paths, Insecure Service Executables, Weak File and Folder Permissions, Password Attacks, Scheduled Tasks, Weak Group Policy Configurations, etc. Armed with tools like Rubeus and Kekeo, I learnt to merrily crack tickets offline, revealing passwords like a magician pulling a rabbit out of a hat. Also, I would strongly advise to learn more ways to develop interactive shells than just meterpreter and netcat for ease of persisting access.
Pass-the-Hash Attacks — The Hash Comedy Show
Pass-the-Hash attacks took the spotlight in my Active Directory adventure. With this technique, I learned to leverage the NTLM password hash of a user to authenticate and access other resources on the network. Armed with tools like Mimikatz, I embarked on a comedic journey of bypassing authentication with a mere hash, leaving security mechanisms scratching their metaphorical heads in confusion. Additionally, I explored the world of Overpass-the-Hash attacks, where I utilized stolen password hashes to escalate privileges and move laterally within the Active Directory environment. Pass-the-Hash attacks proved invaluable when it came to lateral movement and privilege escalation.
Domain Privilege Escalation — The Crown Jewel
As my knowledge grew, I turned my attention to domain privilege escalation. I explored misconfigurations, weak permissions, and vulnerabilities that could grant me higher privileges within the Active Directory domain. Techniques like abusing Group Policy Objects (GPOs) to execute code, compromising service accounts and leveraging their privileges, exploiting Kerberos delegation, and identifying vulnerable trust relationships became the highlights of my routine.
Domain Controller Attacks — Conquering the King
Finally, armed with a repertoire of Active Directory attack techniques, I set my sights on the ultimate prize — the domain controller. I ventured into the realm of exploiting misconfigurations, weak passwords, and vulnerabilities that plagued the domain controller. It was a dance of persistence and ingenuity as I learnt techniques like DCSync to retrieve password hashes of domain accounts, learnt to perform DCShadow attacks to silently create and replicate rogue objects in Active Directory, and leveraged the power of Kerberos ticket granting service (TGS) tickets to impersonate privileged accounts.
Web Application
Understanding Web Application Fundamentals
To embark on my web application security journey, one should start by developing a solid understanding of web application fundamentals. Familiarize yourself with concepts such as client-server architecture, HTTP protocols, web servers, and various other web components. This foundational knowledge will help you grasp the intricacies of web application security.
OWASP Top 10 — The Gateway to Web App Attacks
To delve deeper into web application security, explore the OWASP Top 10, a comprehensive list of the most critical web application vulnerabilities. In specific, study the vulnerabilities such as Injection (SQL, OS, etc.), buffer overflows and more. By understanding these common vulnerabilities, one can gain insight into how attackers exploit them and the countermeasures needed to secure web applications. I would recommend not to focus too much on client-side attacks of XSS, CSRF, etc. in context to the exam.
Web Application Reconnaissance — Gathering Intel
Next, focus on web application reconnaissance techniques. Learn to leverage tools like Burp Suite, Nmap, and dirb to identify the target application’s entry points, perform port scanning, and discover hidden directories and files. This reconnaissance phase will allow you to gather crucial intelligence about the application’s structure, technologies in use, and potential vulnerabilities.
Authentication and Session Management — Gatekeepers and Cookies
Authentication and session management will play a pivotal role in your web application security journey. Delve into techniques like brute-forcing login pages, exploiting weak credentials, and bypassing authentication mechanisms. Additionally, explore session hijacking, cookie manipulation, and token-based authentication attacks. Understanding these concepts will equip one with the knowledge to identify and exploit vulnerabilities in the authentication and session management processes.
Input Validation and Injection Attacks — The Art of Breaking In
With a solid understanding of authentication and session management, you can delve into the world of input validation and injection attacks. Explore the techniques like SQL injection, where you manipulate input fields to execute arbitrary SQL queries and gain unauthorized access to the application’s database. Also learn about command injection, XML/XPath injection, and LDAP injection, each offering a unique path to exploit vulnerabilities and gain control over the application. Remember to learn the underlying concepts as OffSec does not encourage the use of automated tools like SQLMap, etc.
Web Application Privilege Escalation — Reaching for the Heights
Next, focus on web application privilege escalation. Discover misconfigurations, weak file permissions, and vulnerabilities that could grant you elevated privileges within the application or underlying systems. Techniques like parameter tampering, insecure direct object references (IDOR), and path traversal came into play as I laughed my way through securing unauthorized access and escalating privileges.
The D-Day Tips:
Oh, my audacious explorer, as you enter the enchanted realm of the exam environment, a conundrum beckons: What shall be your maiden step? But fear not, for your trusted methodology shall guide you, whether traversing the halls of HTB or THM or OSCP Labs. And if your mind instinctively whispers, “Reconnaissance, Scanning and Enumeration” rejoice, my shrewd companion, for your intuition sings true! Now, let us embark on a journey of micro-steps, where tools become our mischievous sidekicks. Behold, I offer you my humble suggestions (arranged haphazardly, for structure is but a frivolous notion):
PS: Pray, let it be known that this counsel, though delightfully generic, “could” apply to one of your OSCP boxes. Should the fickle winds of fate deny you an open HTTP(s) port, your micro-steps may pirouette into a different rhythm. Fear not, for the concept shall endure. As for the syntax and usage of tools, I bestow upon you the grand liberty of choice. Yet, to ignite your creative spark, here are some examples and fanciful use cases:
Initial Access
- Unleash the almighty NMAP scan upon the host, and with a twinkle in your eye, savor the findings that emerge from the digital depths.
- Ah, the mystical portals of port 80 or 443! If they reveal themselves like hidden gateways to a domain, let them be enshrined within your /etc/hosts, like ancient relics in a treasure chest. Embark upon a grand quest to that domain and, with a mischievous grin, unleash the whimsical Nikto scan. Oh, the vulnerabilities it shall uncover! And why not summon the spirited FFuF or sublist3r to unearth the elusive sub-domains? These hidden realms teem with secrets — login portals, file upload portals, downloadable treasures, and even delectable login credentials nestled within the source code.
2a. Yet, if these portals choose to play coy, cast your gaze upon other open ports and services. Tread lightly, for within their digital chambers lie potential gateways to mischief. Allow me to illuminate:
- Port 21 (FTP): Pause, and with a twinkle in your eye, contemplate this possibility: Can you waltz in anonymously, savoring the thrill of downloading forbidden files? Or perchance, can you slyly upload your own creations, injecting a spark of mischief into the machine’s unsuspecting heart? Seek ye the secrets of information disclosure or an opportunity to wield the reverse shell!
- Port 22 (SSH): The fortress of SSH! Conjure images of a daring knight, bravely attempting to crack the castle’s secrets. Shall you dabble in the art of brute-forcing, hoping to discover the mystical credentials that grant entry? Pray, have you stumbled upon RSA tokens, usernames, hashes, or passwords in your noble quest for enumeration? Let them guide your steps, dear troubadour of the virtual realm. And, oh, do discover the version of this service, for vulnerabilities may whisper their secrets into your ear and it may “rock-you”.
- Port 5985 (Remote Management): Hark, a Windows environment! Direct your mischievous endeavors toward the enigmatic realm of credential enumeration. Invoke the arcane powers of EvilWinRM and watch as it weaves its enchantment, opening doors to further conquest within the kingdom of the machine.
Also, do not forget the power of note-taking, for it is the secret potion that transforms mere mortals into formidable hackers. Alas, none of us possess the innate wizardry to retain every intricate detail while treading the path of scanning, enumerating, and exploiting multiple hosts. Hence, it is incumbent upon us to document our exploits, lest we succumb to the amnesia of the digital domain.
Consider this a gentle reminder, a delightful refresher even for the seasoned adepts among us, that enumeration, research, and an insatiable curiosity, all wrapped in the warm embrace of organizational prowess, are the cornerstones of our methodology.
Pay heed, for the grandest treasures lie within the hallowed halls of reconnaissance and scanning, the sacred rituals of Information Gathering. Your notes, dear compatriot, should have bloomed like a bountiful garden by this point, guiding your steps and illuminating the contours of your attack surface. Allow these revelations to seamlessly usher you into the next phase, the enchanting realm of Exploitation, where Initial Access awaits. Now, as a lowly user, you wonder, “What lies beyond?”
But fret not, intrepid explorer, for the answer is simple: Seek the flag!
Summon your command-line sorcery, traverse each directory with grace, and invoke the incantation of “cd” or “type” to reveal the mystical .txt files. There, amidst the digital tapestry, the user flag shall reveal itself, a shimmering jewel of accomplishment. Snatch its essence, copy its sacred verse, and present it to the machine’s gatekeeper within the enchanted exam portal. Behold! You have crossed the halfway mark, emboldened by the surge of adrenaline coursing through your veins, and brimming with the fervor to conquer the remaining obstacles that guard the gateway to ultimate triumph — Root Access!
Now, dear friend, let us embark upon this perilous pilgrimage, armed with our wits, our notes, and a determination as unwavering as a dragon’s gaze. Together, we shall unlock the secrets that lie dormant within the machine and emerge victorious in our quest for knowledge and mastery. Onward, to glory!
Privilege Escalation
The state of root user access may be as elusive as catching a unicorn dancing in moonlight. Fear not, for your focus must now shift to the captivating realm of “Privilege Escalation.” Within this domain, a multitude of paths lie waiting to be explored. Allow me to enlighten you on the art of strategic thinking:
Behold, our next step in this intricate dance. Regardless of whether our journey leads us through the corridors of Windows or the realms of Linux, our first task is to seek out the next entry point, the key to ascendancy. Manual exploration of the system, scouring for additional users, scrutinizing running processes, cron jobs, or even outdated software, and delving into the depths of kernel exploits, may consume precious time. But fret not, for I present to you a marvel of automation known as WinPEAS (for Windows) or LinPEAS (for Linux). These wondrous tools shall unravel a tapestry of possibilities, overwhelming you at first with a cornucopia of results. Embrace this checklist, for it shall illuminate the path towards the coveted realm of root privilege. Navigate the tool’s usage meticulously, leaving no stone unturned, especially in the crimson-hued realms of importance. And if it hasn’t dawned upon you yet, my dear compatriots, the art of file transfer shall play a pivotal role .
But lo, my friends, the exploration need not end there. Casting our nets wider, we shall dive into the realms of credential plundering. Mimikatz, that formidable instrument of intrigue, shall aid us in our quest. For the fruits of Mimikatz, and indeed any credentials you unearth, may prove to be the stepping stones towards both privilege escalation and lateral movement.
Remember, dear wanderers, there exists a multitude of pathways to tame this elusive creature. The examples shared here mirror my own encounters during the examination. Exploiting file permissions, capitalizing on vulnerabilities lurking within the operating system or kernel, and weaving together the tapestry of tools mentioned, shall bring you closer to the ethereal realm of root user access than you dare imagine. Easier said than done, I confess, but I traversed the treacherous terrain and rooted two out of three standalone machines simply by adhering to the methodology outlined here.
Active Directory Set Tips
In the intricate realm of Active Directory, dear comrades, I shall guide you with a delicate touch, preserving the sanctity of the exam’s integrity. Though I shan’t divulge the precise starting point, let it be known that the hallowed “methodology” and its accompanying “micro-steps,” which served you faithfully in the realm of standalone environments, retain their relevance until the moment arrives to enumerate the landscape, traverse its vastness, and ascend the lofty peaks of lateral movement and privilege escalation.
Behold, the tools that shall become your steadfast companions on this odyssey:
BloodHound: A visual oracle that reveals the secrets of the AD domain.
CrackMapExec: Unveiling untold knowledge.
Impacket: A master manipulator of Windows Network Protocols, adept at exploiting their vulnerabilities.
LinPEAS: A faithful companion, unfurling the tapestry of Linux privilege escalation vectors.
WinPEAS: A beacon of wisdom, illuminating the path to Windows privilege escalation vectors.
PowerView: Enabling meticulous enumeration of the Active Directory environment.
PowerUp: Unveiling the hidden gems of Windows privilege escalation, exposing the misconfigurations of the system.
Mimikatz: A treacherous yet potent artifact, capable of stealing coveted credentials.
Chisel: Facilitating the art of port forwarding and pivoting, opening new realms of exploration.
Hashcat: A trusted ally in the pursuit of cracking the enigmatic codes.
These, my friends, shall serve as your stalwart allies when venturing into the realm of Active Directory.
Assuming you have successfully established a foothold within this complex domain, your initial foray should involve gaining a deeper understanding of the potential pathways to further ascension. In this endeavor, the tool that reigns supreme in my mind is none other than BloodHound. Allow it to illuminate your path and reveal the interconnected web that lies before you. With your chosen path firmly in sight, recall the cherished “micro-steps” of earlier days. Probe accounts, scrutinize file permissions, and examine running services, seeking the glimmers of value they may possess. PowerView and PowerUp can aid in this quest, automating your reconnaissance, unraveling the secrets of the environment. Yet, should the need arise, do not shy away from embracing the power of PowerShell and embarking on the manual path of enumeration.
Through the harmonious symphony of these tools, intertwined with your expertise and ingenuity, you shall traverse the intricate labyrinth of Active Directory, unlocking its hidden treasures, and ascending to the lofty heights of privilege.
Behold, the fruits of my labor:
2 Standalone Machines vanquished: 40pts
AD Domain conquered: 40pts
Impeccable Professional Report: 10pts
Grand Total: 90 glorious points!
Know this, my dear companions, my noble quest was to merely achieve the cherished title of “pass.” Once I felt the surge of confidence coursing through my veins, I embarked upon the final leg of my journey. With a twinkle in my eye, I bestowed one last gaze upon my collection of screenshots and notes, bidding them a fond farewell. No need to torment my weary soul any further, for the pursuit of excellence had already taxed my spirits enough.
As I reach the culmination of this humble article, my heart swells with gratitude and warmth towards you, dear reader. Time is a precious gift, and the fact that you have devoted yours to accompany me on this written expedition fills me with immeasurable joy. This endeavor in the realm of sharing my OSCP journey, has been a revelation, igniting a flame within me to assist and uplift more souls in this vast expanse of cybersecurity.
Let it be known that the true essence of this piece resided in the profound significance of the basics. In this intricate labyrinth of information, we often find ourselves adrift, yearning for direction, even as I, too, grapple with moments of uncertainty. The sight of others seemingly effortlessly grasping concepts or attaining prestigious certifications like the revered OSCP can be disheartening, casting shadows of doubt upon our own abilities. Yet, through this article, my fervent desire was to instill a glimmer of hope, to reaffirm the value of foundational knowledge, and to illuminate the path towards success.
With genuine sincerity, I extend my sincerest wishes for every soul reading these words. May the wisdom shared within these virtual pages serve as a guiding light during your own unique odyssey. May you encounter boundless triumphs and conquer formidable challenges, emerging stronger and wiser with each passing milestone. As you continue along your extraordinary journey, remember that success is not an endpoint, but a kaleidoscope of moments, big and small, that shape the tapestry of your personal triumphs.
