shadowandy – my life stories

Dreams ∙ Passion ∙ Digital World

LifeTech

My OSCP Experience in 2023

Andy
Contents hide
1. Preparation Effort
2. Walkthroughs and practices
3. The Verification
3.1. Issues with WebRTC on both Chrome and Firefox
3.2. One issue after another – Exam OpenVPN refused to connect
4. The Exam
4.1. Silly to rush through the AD set
4.2. Verifying the process while waiting for results
4.3. Revert and revert
4.4. Ended the exam
5. First proper meal – Dinner
6. Report writing
7. Conclusion

I got my OSCP at my first attempt in June 2023. I started at 10.30am and had the exam portion wrapped up by 11pm. Washed up, caught some winks and submitted the report at 2.30pm the following day.

I started with PEN-200 back in October 2022. Procrastinated and Offensive Security rolled out PEN-200-2023. I did the 2023 challenge labs and with the module exercises from the pre-2023, I’ve 10 bonus points in my pocket.

An email arrived two days after submitting the report, informing me that I passed the exam. I had managed to get proofs on all six machines.

I am grateful to my colleagues who tanked urgent project work during this period. Also to those that shared their methodologies, tips and tricks with me.

Preparation Effort

From October 2022 to end January 2023, I went through the PEN-200 materials in my spare time while juggling work and family commitments. December and January were busy due to some tender/ contract at work.

The panic set in when February arrives as I am less than five months away from the end of the Learn One subscription.

I drew up a plan to commit at least six (6) hours after work during weekdays and 16 hours during weekends. This allows me to have at least 22 hours of study/practice time weekly, leading up to the exam day (21st June 2023).

In June 2023, I ramped up the intensity, clocking almost 40 hours weekly. For the week leading up to the exam day, I took leave from work and dedicated entire days at practicing and reading other peoples’ walkthroughs of the various boxes in PG Practice, HTB and VulnHub.

So in total, at least 600 hours have been poured into preparing for OSCP.

  • Oct 2022 to Jan 2023 – 4 hours weekly
  • Feb to May 2023 – 22 hours weekly
  • 1 to 11 Jun 2023 – 40 hours weekly
  • 12 to 18 Jun 2023 – 70 hours
  • 19 to 20 Jun 2023 – 24 hours

Walkthroughs and practices

Why walkthroughs and not practice? I also dedicated time to practice, committing myself to three boxes daily. It is time consuming and the idea behind is to jolt your brain juices and learn new stuff or discover the areas where I overlooked. For example, uncover hidden cron using pspy.

So instead of going through each and every box on my own effort, why not learn from other people’s experience? I can go through one box under 10 minutes this way.

Did it help by reading other people’s walkthroughs? I would say yes, I picked up a couple of new stuffs along the way. For example, chisel client can do reverse port mapping. SharpGPOAbuse is cool when one have rights to amend GPO. Or even knowledge that it is time to retire ExternalBlue from your toolkit because you will unlikely meet those OSes.

The Verification

I booked the exam on 7th Jun and scheduled it to be on 21st Jun 10:00 (Asia/Singapore) time. I was lucky to find a day that didn’t start too early (e.g., before 8am) or late (e.g., beyond 1pm).

Issues with WebRTC on both Chrome and Firefox

My mistake was not booking for a test session to whether the setup and infrastructure (e.g., Internet) works with the proctored exam. My home connectivity had issues with WebRTC and screen sharing gets terminated periodically every few minutes or so. As a result, I switched to mobile internet and proceeded with the lower bandwidth and higher latency connectivity.

This WebRTC issue resulted in longer time required for the verification and I was glad that the proctor was patient.

One issue after another – Exam OpenVPN refused to connect

I got my exam pack at 10:23am and started exam proper at 10:30am.

My Kali refused to connect to the Exam OpenVPN. Luckily I remembered that I had switched to mobile Internet and my bridged networking could be causing the problem. I figured that it was the VM connectivity and configured it to bridge to the new mobile Internet and it connected without any further hickups.

At this juncture, I am crossing all my fingers and hope that I don’t get anymore surprises.

At the back of my mind, I was also hoping that the default MTU of 1500 will not screw me up later on.

The Exam

Silly to rush through the AD set

With the adrenaline rush (from the issue earlier), it spurred me to do things faster. Enumerating the public-facing boxes (three individual targets and AD public client) together and dedicated my first half of the day at the AD set. The AD public client was responding slowly to the nmap scans and I reverted it.

Come to think of it, it was silly to rush or speed things up because it is a 23 hours 45 minutes marathon. It is only 30 minutes, I’ve still got 23 hours 15 minutes.

The AD set went smoothly and I managed to obtain domain admin credentials by the end of the third hour.

I had a couple of bananas for lunch to avoid lethargy and continued with the remaining three machines.

Verifying the process while waiting for results

During the waiting time in-between enumerating the machines, I took the chance to verify the process to compromise the AD set. Remember that I am on mobile Internet? Hence, it takes a while to nmap, gobuster, enum4linux, nikto, etc.

Revert and revert

For the standalone machine, it didn’t react to my exploit for the initial foothold. The other machines also responded slowly to my probes as well. It is either my mobile Internet or the boxes. I paused all my enumeration but the exploit didn’t work too. I decided to revert the machine and the exploit worked.

Before I knew it, I verified all six (6) boxes for the third time and attempted to write the report. However, it felt very uncomfortable having another (few) pair(s) of eyes looking at me trying to form coherent sentences for the report.

Ended the exam

After verifying with the proctor that the 24 hours for report writing will start from 9:45am (planned end time for exam) the following day and not from the time I end the exam.

I verified every submitted proofs in the exam panel to make sure they are the same as what I recorded in my Joplin notes

  • Machine for machine
  • IP for IP
  • 11 proofs on the exam panel and 11 proofs in my Joplin

After which I requested for the exam to end at around 11pm. After confirmation from the proctor that my exam VPN will be cut and I cannot resume the exam, I thanked the proctor and ended the exam.

First proper meal – Dinner

I had dinner and my first proper meal at 11pm. Given that I don’t usually have breakfast and was too engrossed with the machines for lunch so I was pretty famished at this point. I had a hearty dinner and ended up feeling too full to sleep.

Report writing

I ended up writing my report and headed to bed at 4am.

Woke up the next morning for early lunch and turned in the report at 2.30pm after making sure the proofs are recorded properly.

Conclusion

I would say there are quite a fair bit of ups and downs for my exam. Despite the issues that I faced, I was left with a wealth of knowledge in the area of penetration testing.

Lastly, for the record, Cybersecurity is not my core focus at work. From now on, I will be relying on public boxes to keep me sharp.

This site contains links to Amazon. These links will take you to some of the products mentioned in today’s article. As an Amazon Associate, I earn from qualifying purchases.

You May Also Like

Reiyin WT-04: Bluetooth Audio for Nintendo Switch

Andy

Xiaomi 45W USB-C Power Adapter Review

Andy

RAVPower GoPro Batteries (Compatible)

Andy