Not your standard OSCP guide

An atypical OSCP guide that fills in gaps of other guides.

If you've come to this blog, you've probably already read the overload of OSCP guides out on the Internet. They are really valuable, but mostly say the same thing: do HackTheBox/VulnHub/Virtual Hacking Labs, take enough rest during the lab and exam, watch IPPSEC's videos and all of them shout the famous words: "Try Harder".

In this blog, I will not repeat other guides but rather top them up with extra tips and tricks that I had to figure out the hard way during my quest to OSCP. In the paragraphs below, I will cover the following topics:

  • My journey: a very short overview of the different phases of my OSCP study time

  • Documentation: how to document while going through the labs and exam

  • Automation: how to automate your enumeration workflow

  • Privilege escalation: how I tackled my lack of knowledge in privilege escalation

  • Backups: how to implement redundancy to automatically backup all data including notes, VM, scans and exploits

  • Friends: how friends can motivate you in your journey

  • Helpful sources: sources that helped me during my OSCP preparation and lab time

⛰ïļ My journey

I will not describe my OSCP journey in depth but here is a quick overview. When I started the OSCP preparation, I had one year of pentesting experience, mainly web apps and limited experience in system hacking. Before getting access to the PWK labs, I spent around 1 month on HackTheBox and hacked about 16 boxes while learning the methodology through IPPSEC's videos. Just before my OSCP lab time, I took one week to automate the initial reconnaissance phase by building my own Python enumeration script. Then I took three months of PWK lab access in which I could pwn 27 boxes. I could pass the exam at my first attempt. After 12 hours in the exam, I got the 70 points needed to pass and my final score was 80 plus 5 bonus points of the lab report.

Enough about me, now more about how I can help you!

Note that I started the lab just before the OSCP 2020 upgrade. Sadly I have not been able to get a glimpse of the new content. This guide however is generic and all the tips are applicable to both PWK versions.

📓 Documentation

Almost all the guides mentioned how crucial it is to take good notes during the lab and exam. None however gave you practical tips on how to do the documentation itself. During my OSCP adventure, I experimented a lot with different ways to document and I ended up with an aesthetic pleasing OneNote document that made my colleagues jealous.

Documentation per system

I took the general rule for myself to first analyze the output of my enumeration script while documenting interesting information as much as possible before actually trying to exploit identified vulnerabilities. Only when I felt I had a complete overview of possible entryways, I checked what path most likely would give me initial access to the machine. This way of working really helped me during the exam as I had a good overview of possible entryways. I constructed one template that I copied over for each HTB or PWK machine that I was enumerating. This worksheet contained the following main four tabs:

  • Methodology: contains a detailed step by step guide on how to hack this box. Every step is provided with the necessary screenshots such that I can just copy past this in my report, adjust some formatting and finish the report.

  • Enumeration: consists of all the information that potentially could lead to that initial user shell. I always included a table of all open ports, the protocol behind it and identified versions. In the notes column, I would also note exploit-db references and vulnerable configurations like allowed SMB null sessions. During the lab and especially the exam, I would also paste all my screenshots underneath the table such that when I was writing out the methodology, I just had to copy and past the screenshot I needed.

  • Post-exploitation: lists interesting services/permissions/users/... that I would discover during the enumeration of the box itself and that I could use to elevate my privileges to system/root.

  • Loot: exists of all the juicy pieces of information that I could extract during and after rooting a system like passwords and user/root flags.

TIP: also provide the name of the box with a cross or check mark depending on whether you have user or root on a box. "✔ïļâŒ Granny" means that I had user access to the box Granny but could not yet elevate my privileges to root. This gives you a quick overview of boxes that you didn't root yet (Find your emoticons here: emojipedia.org)

Lab overview

Next to a thorough documentation of each individual system, I maintained a complete overview of all the systems in the lab with their current status, open ports, quick description about used exploits and what I looted from the systems. This turned out to be quite useful towards the end of my lab time to see what systems I did not own yet and to quickly look up systems that were similar to another system I wanted to own.

Cheat sheet

In the cheat sheet section, I included all the different commands that could be useful during hacking. I really took a lot of time going through other public cheat sheets to make mine as complete as possible. I have formatted the cheat sheets in this GitBook on the following pages: Netwerk-Enum, Privesc-Windows, Privesc-Linux.

Download

If you would like to start from the template I used, take the following steps (Microsoft for some reason really hid the import functionalities in the new OneNote version):

  1. Download the zip file below

  2. Extract the content to a folder

  3. Go to the OneNote importer tool and select the folder you just extracted

  4. Hit import and start documenting

ðŸĪ– Automation

Automating your workflow can turn into a blessing or when done wrong, a curse. When including too many scans into your automation scripts, it's easy to drown in the overload of information you have to process. One of the major road blocks I experienced in the beginning was that when using automation scripts like Sparta and AutoRecon, I had no clue about what they were actually executing, nor what parameters were provided for the executed scans. This resulted in me not knowing what the blind spots were of these automation scripts. Therefore I decided to build my own python enumeration script that I constantly adjusted and fine-tuned during my playtime in the PWK labs. I'm really proud of my script as it is optimized to return information as quickly as possible and on top of that, everything runs asynchronously. This script will be made available in the near future.

ðŸąâ€ðŸ’ŧ Privilege Escalation

My biggest fear by far for the exam was the local privilege escalation on Windows. After 2 months and a half deep into the lab, I owned all Windows machines that didn't have dependencies. Still I had the feeling that Windows privilege escalation would be my major struggle during the exam and would cost me valuable time. To tackle this problem, I decided to dedicate the rest of my time to privilege escalation. I spent a couple of days on the lpeworkshop and really focused on how to detect the exploits manually and how to exploit them. To be as efficient as possible on the exam itself, I also researched what tools could help automate the enumeration.

Most of the privilege escalation guides have a list of commands to check different attack vectors. In the beginning however, I never really knew what the results meant and what I actually was looking for. Therefor I have compiled my own guide (Windows and Linux)and documented for each attack vector, how you can detect if the system is vulnerable and how to exploit it.

Important: Don't be dependent on the output of enumeration scripts. Only use these if you know perfectly on how to detect privilege escalation paths manually and just want to speed up the process.

My favorite tools for privilege escalation are LinPEAS and WinPEAS. These scripts format the output nicely and only return relevant information. With these tools, it is really easy to spot anomalies quickly without having to scroll through endless lines of output like with LinEnum for example .

ðŸ’ū Backups

Having an automated way to make backups and implement several layers of redundancy can be a big time saver. You would not be the first person to lose all your data stored on a VM during the exam because it crashes. (There are too many horror stories of people losing such a precious time during the exam).To backup my data, I used following strategies:

  • OneNote: To make sure I always had a backup of my notes, I used OneNote with the file automatically being saved to OneDrive.

  • Shared folders VM: Between my Kali VM and Windows host, I worked with shared folders. This allowed me to quickly have scan files and exploits ready in a new VM in case my current VM would get corrupted. Further the shared files were located in a OneDrive folder such that they were automatically stored in the cloud as well.

  • Snapshots: I would take regular snapshots of my VM, especially after some configuration changes. In case the VM crashes or becomes unstable, reverting to the latest snapshot quickly gets me up and running again.

Tip: Don't place the VM itself in a OneDrive folder. For me this resulted in slow internet connections as OneDrive would constantly try to backup 20 GB of storage to the cloud. ðŸĪŠ

ðŸĪ Friends

If you can, mobilize some friends or colleagues around you to join your OSCP adventure. It's a lot of fun to discuss different entryways into a system or to just laugh off our frustrations with a certain box. It can also be helpful when they give you a tip that finally makes you pop that shell. I was lucky to have four colleagues starting at the same time which helped a lot for staying motivated and exchanging ideas.

↩ïļ Helpful sources

These sources helped me tremendously while studying so I also want to share these with you:

Complete OSCP guides:

OSCP Cheat sheets:

Good privilege escalation learning materials:

Collection of binaries for limited shell escapes or privilege escalation