My OSCP story: tips, tricks and hints

Luis Toro (aka @LobuhiSec)
6 min readJun 5, 2021

First, let me explain you about my background. I mess with security stuff since I was a teenager, not always with the same intensity but I’ve been always connected to cybersec scene in one way or another. My first IT job it was as a night shift helpdesk, it seems like there’s nothing interesting here but you can learn a lot about users psychology and how they interact with systems. I graduated as Telecom Engineer in this period. Then I moved to a monitoring team where most of tasks were repetitive but some of them were delegated from administrators teams, so I was acting as a sys admin indeed. In this time I completed LPIC-1 and LPIC-2 courses with no certification, it helped me improving my skills on Linux and my performance at work. Later I joined a Master Degree in Cybersec and I thought it was the right time to move to cybersec sector. I wanted, as most of you, to enter in cybersec as a pentester or ethical hacker but I didn’t have no experience so this wasn’t a real expectation so I started as a SOC Analyst in banking and energy sectors. I learned how blue teams work and manage their tools: WAFs, SIEMs, phishing, ATPs and EDRs. That wasn’t as good as expected because the daily work it was like the same as system monitoring team but with security tools instead, at least I joined cybersec industry. Some months later I found my first opportunity to work as a pentester/ethical hacker -with no previous experience- and a year and a half later I get my OSCP badge at third attempt.

Nobody wants to talk about: failing

I failed my two first attempts just because I wasn’t prepared enough, I get rushed to obtain my OSCP certificacion and that was my biggest fail. I think it’s important to expose this because maybe you can identify yourself at this point.

My first attempt was during my SOC period, it was the first time I heard about something called “OSCP”. Some of my colleages recommend my HackTheBox, I didn’t know what it is but I joined and completed my first machine there, exploitable via EternalBlue and easy to privesc using a Windows kernel vuln. Pretty easy, with no points of reference I though I was prepared to enroll OSCP. I made all the exercises and learned dozens of new techniques and tools but lab machines were hard for me, I just completed a few of them, not enough to be prepared. Anyway, I tested myself and I felt very confident about breaching the user line, but privesc was an exotic topic for me. I used to work with metasploit, sqlmap or so and you already know, these tools are restricted or forbbiden in OSCP exam. I just failed as expected.

On my second try, 6 months later and already working as a pentester, I get prepared hard as f***, I made all the machines in the TJNull compilation and complete every lab I found related to windows or linux privilege escalation. I failed again but I guess in this point I identified what was wrong with me: enumeration. I wasn’t good enough enumerating so I had to find out my way to improve this skill.

The point is, if you fail your attempt just try to be critical with yourself and make an effort to identify what’s wrong with your methodology because that’s a key term in this process. In my opinion, OSCP is not about how many machines you have already completed in HackTheBox, TryHackMe or VulnHub but about your skills and methodology.

Smooth the way

Let’s start with cool thing. Where to start? Easy: TJNull’s HTB machine compilation.

Check out the previous machine list. If you feel confident enough to hack’em all by yourself then go ahead. In my case I wasn’t brave so I did them all watching ippsec videos on youtube. That’s the key: DO NOT USE WRITEUPS. Write-ups are much straight forward to exploit and privesc but none of them expose how to enum properly and that’s the cornerstone of everything. So, watching ippsec you’ll learn how to do it properly and maybe find your own way.

Also, TryHackMe as an offensive path highly recommended, also find support on hands-on videos and avoid writeups:

There’re other lists with VulnHub machines, you can check them out if you want to power up your skills or test yourself before the exam.

Privilege escalation

As I said, privesc it has been an exotic thing for me during months but I found a few resources that helped me to master the most common ways to privesc in windows and linux.

First, we got a couple of rooms in TryHackMe for these operating systems:

Through this labs you’ll learn how to exploit crons, python libs, unquoted service path or how to use GTFObins for sudo or suid/guid binaries. It’s impossible to learn every single way on how to privesc each system, just learn as much as you can from this basic methods, how to exploit manually and do not lean on auto-privesc tools.

Also other interesting resources are:

Windows / Linux Local Privilege Escalation Workshop

PayloadAllTheThings-Windows Privesc

PayloadAllTheThing-Linux Privesc

Be tidy, hot logging

You may struggle in many fronts at the same time, so be tidy and neat, no matter how, find your way, but do it. I.e. some people just hack the machines and only when the killchain is completed they repeat the process just to take screenshots, notes and sort everything. Avoid this, just take screenshots and notes in real time on every command or step that you think it will be added to the report. This will save you a lot of time.

One of the most useful tips I read about is to create as much desktops as machines you have to hack, so you’ll get “isolated” environments for each machine and your terminal won’t be a maze of tabs. Just be tidy.

Summary

· During your learning process, avoid using metasploit exploit modules as much as possible. Don’t become a hater, metasploit is still a powerful tool for real world pentests.
· Complete TJNull’s HTB machine list.
· Complete Offensive Path in TryHackMe.
· Learn how to enum, not how to exploit.
· Find and improve your own enumeration methodology.
· Complete privesc rooms in TryHackMe and master these basics.
· It’s ok to use auto-recon privesc tools, but do not lean on them.
· If you cannot complete these labs/machines by yourself, look for answers in hands-on videos.
· Avoid write-ups, they do not explain how to enum.
· Be tidy, i.e. use one desktop for each machine.
· Take screenshots and notes in real time.
· If you failed, find your weakness and patch it.

Stay cool!

--

--