OSCP and Penetration Testing mindset
OSCP and Penetration Testing mindset
Overview
While I passed my OSCP back in August, 2022. In this blog post I specifically wanted to reflect on the mindset and strategy which offsec helped to develop for conducting a successful penetration test against an organization. This article will not be specifically about the course, lab or the exams as there are alot of other articles on the internet regarding those but rather a unique psychological aspect behind an adversial thinking and how OSCP helped in developing that mindset.
Background
Before getting the OSCP I was already into information security from approximately 2.5 years. I was active on Hackthebox, tryhackme, vulnhub doing boot2root, actively doing ctf challanges with my friends every other week, doing bug bounty, researching various topics, In general I enjoyed this thing. I was also a member of Synack Red Team from january, 2021. During our monthly meetup of Pentester Nepal we had our senior Nirmal Thapa who also goes by the handle mpz who was OSCP certified from whom I got to know that OSCP was the most sought after industry leading penetration testing certification at the time. I was basically hooked when I returned home I started googling everything I could, watched every youtube video, researched everything regarding OSCP from blog posts to reddit threads. I knew I had to get the OSCP certification. But the problem was with the cost which was $1299 for Course Materials + 60 days of Lab Access + An exam attempt. I started actively doing bug bounty on Synack and a week later my Path Traversal bug got accepted which covered not only my OSCP cost but also for purchasing hackthebox VIP access and pg play subscription. On March of 2022 I registered for PWK course with 60 days of lab access.
The Labs
I did 60-70 machines on Hackthebox, machines from TJ Null’s oscp prep list, 25+ machines on proving grounds and so many machines from vulnhub and tryhackme that I can’t even remember of but compared to those the OSCP labs were very unique. It had total 75 machines which included two Active Directory sets and rest standalone windows, linux machines representing a typical internal network of an organization.These hosts consisted of old systems vulnerable to kernel exploits to latest operating systems with fully updated applications. After compromising most of the hosts in one network we had to identify one or two of the host which were connected to another network and use this as a pivoting machine to scan and gain access to machines in another network. It also taught to leverage credentials or information gathered from one machine to compromise another. Even the NetBIOS names for each host in the network made sense like, “okay this is John’s workstation, this might be a switch or default gateway, this and previous host might be using same configuration” and so on. The labs were not difficult at all instead it was very fun. I planned to compromise two machine a day this way in about 40 days I would be able to comrpomise all the hosts.
The Mindset
Talking about how Offsec helped in developing an adversial mindset, I felt the labs to be pretty real life compared to hackthebox, tryhackme and other boot2root machines. My thought process and methodology were slightly different while doing PWK Labs compared to other boot2root machines from various platforms. Remember Always go for breadth before depth, this means not to focus on particular vulnerability or access point but to enumerate everything which includes every tcp and udp port, every services, their version and their specific misconfigurations, gather every information including the NetBIOS name of the host, check every entry points, note every detail, Is the host running any kind of web application, is it a cms? what is the version? Is it a custom built site? Maybe there is an administrator portal? Maybe virtual hosting is configured? Try fuzzing not only directories but also common files such as robots.txt, .git, .SVN, config.php, .htaccess, etc. found a forbidden directory? try fuzzing recursively or common file names on this directory as well we never know what works. Found some potential usernames? Some comments posted by a user or an administrator? Got access to an email? Now its time to piece the information together. After enumerating as much as possible we need to use the information to our advantage by piecing the puzzle together and trying different things, for example an FTP Service is configured with webroot directory and there is also a web application? Maybe if I am able to upload reverse shell to the webroot by gaining access to this ftp service I would be able to access and trigger the shell from the website? Oh! I donot have credentials to this FTP Service but there is path traversal vulnerability in the web application. maybe I can access the configuration file for this FTP Service using the path traversal? Found potential credentials? What are the chances that this credential is also used for other services? RDP, winrm, smb, ssh? Maybe the user is also an administrator on other host in same/different nework and same credential is re-used? Found sql injection in web application with mysql database but dumping the database did not result in juicy information? What are the chances mysql load_file() method can be utilized to read sensative system files? If the host is windows and we have write access to an smb share maybe we can upload a php reverse shell on that share and trigger it using sql injection and load_file() method to get an RCE? We need to be curious and try dfferent things to fit the puzzle together. Remember breadth before depth. Nothing worked? Maybe we can just bruteforce our way in. Also do not worry about tools or commands as those can be found literally everywhere from hacktricks, github, blog posts, Forums, throughout the internet. It is just a google search away. The goal is to understand what you are doing, what the tool or specific command is doing and what is the objective.
The Exam
I booked my exam for August 6th, Saturday 6:00 AM nepali time. Within 10 AM I had successfully compromised the AD Chain with 40 pts on my pocket. I took break until 12 PM and started with the Linux host where I was not able to find an initial foothold noo matter how much I enumerated or what I tried including bruteforcing my way in. It was already 2-3 hours. I moved to another machine which was a standalone windows host, In about an hour I successfully got initial access into the machine and got my local.txt and it was already 5 PM. In about 11 hours I had accumulated 50 points. I took break for an hour and went for privilege escalation which seemed impossible but remember as I said to piece the information together which is exactly what I did and was successful in gaining nt authority\system access. Now I had 60 points under my belt. I started with second machine which was relatively straightforward both initial compromise and privilege escalation with which I had the passing score. I felt so much relief. It was already 12 AM so I decided to sleep, I set my alarm for 4 AM next morning to give the previous Linux Host one final try, I thought I found the exploit but was not sure if it would work since I had one metasploit usage still left just firing the exploit gained me initial access into the machine and I was like what just happened here? Neverthess I continued with privilege escalation with only an hour remaning before my exam ended and successfully got root access into the machine. I was feeling like I was on top of the world at that moment. I quickly re assured I had all the necessary screenshots taken and told the proctor to end my exam. After creating a thorough report and submitting it on August 13, 2022 evening Nepali time I received email from offensive security that I had passed. This was a very proud moment for me as I was finally an OSCP holder although continuous learning and advancing my tradecraft in this field never stops.
Tips
- Be curious
- Try different things if one does not work
- Focus on breadth before depth
- Enumerate as much as you can and fit the puzzle pieces together by utilizing those information
- Be patient do not rush or you will miss information which is right in front of you
- Take Breaks
