My Experience with PWK Course & Lab
I spent a bit more than a week going through the entire PWK Course and doing the exercises. The latter helped cement the information, considering the number of new tools encountered. Documenting the exercises along with 10 lab machines, give 5 extra points in the exam so that’s welcomed. And it prepares you for the amount of notes you have to take. I must say that documenting the exercises took me a lot more than expected, but I got better at it, as I got more organized.
I used CherryTree for note taking. CherryTree is a hierarchical note taking tool which allows you to organise the information in a tree-like manner. It has all the good things you expect from a text editor (including exporting to HTML).
You can find a nice template here (not mine, credits to the author): https://411hall.github.io/assets/files/CTF_template.ctb
As I was approaching the end of the pdf, I used my recon script to scan the entire lab and get an overview. The script is basically a collection of python scripts, developed over these last weeks which launch various Kali tools to enumerate services found in scans. This helped me go after the low hanging fruit first. Make sure to automate everything you can. It can save you tons of time! Note that some machines can be exploited in multiple ways, so you can return to them any point in your lab time.
The lab is divided into 4 networks:
- Student/Public Network
- Dev Network
- IT Department
- Admin Department
You start in the Public Network and must make it all the way to the Admin Network, pivoting past 2 firewalls. This involves finding some “dual homed” machines (having multiple network adapters) with via which you can create SSH tunnels to the target networks. Similar to the root flag, you will find network flags that unlock networks in your Student Control Panel.
Takeaway from PWK Course & Lab
One of the things I’ve learned during my OSCP journey, is that SMB & SNMP protocols can be a particular rich source of information. And I spent a lot of time learning about privilege escalation. Getting root/admin access in the labs is usually done by making use of badly configured services (think like a lazy admin) versus using kernel exploits (which may cause system instability). As one should look for in the real world.
Another thing I’ve learned a lot about is pivoting. Pivoting means using a compromised machine (the pivot) to be able to access a different one which only the pivot has access to. Basically using the first compromised machines to allow or aid in the compromise of other otherwise inaccessible (non-routable) systems. Simplest way to pivot is by using SSH tunnels and a tool like proxychains-ng or sshuttle. These allow you to run your scanning tools from your local machine as if you were connected directly to the target networks.
Of course, all tools have limitations. For one thing, running things through proxies is slower, obviously. But there are other types of issues: certain nmap options won’t work via these types of channels, like the default option -sS (which does a type of fast port scanning, called SYN-Scanning). But don’t worry, you will find ways to deal with that.
The incredible feeling of accomplishment you get when compromising one of the harder hosts or unlock a new network, after days of trying, is hard to describe.
After finishing the lab, I can say this: rooting your way through the machines is a thrilling experience. Although the software is a bit outdated (Update: Offensive Security updated OSCP in 2020), the lab helps you learn fundamental skills for a beginner pentester or anyone working in Security, as it gets you the proper mindset for attacking systems.
My approach to the OSCP exam was to fire up my recon script and let it do its thing. Knowing it will take at least an hour to complete, the plan was to start on the high point machines while that’s running. I also have more brain power in the morning, so I thought of using it carefully.
Three hours in, I had administrative privileges on a first machine. Celebrated the quick achievement with a small victory break. Another three hours later, I got root on the other high point machine. With a good confidence boost and 50 points in the bag, I decide to take my lunch break. With almost 16 hours of exam time remaining and a relaxed mindset, I took on the 3rd target. After a few hours of trying hard with small progress (but no shell), I decided to move on to the next machine.
OSCP exam tip: rotating machines is key. Going straight for lots of hours on a single machine will burn you out and lower your morale (especially if you don’t make clear progress or reach milestones).
After a few more hours I had rooted the other 2 machines. So almost 13 hours into the exam, I had rooted 4/5 machines and had (a theoretical) 80 points.
After another break, I decide to review all the notes I had, make sure I have collected all the flags, submitted them in the exam panel, took enough screenshots, etc. Basically ensured that I had everything needed to create the exam report for those 4 machines.
Once finished, I went back to that 3rd machine. And I’ve thrown everything at it, including Metasploit and after another 6-7 hours I got… nothing! Not even a low privilege shell! After so many hours spent on the machine, I was feeling something between annoyed, tired and stupid, so I decided to call it a day. I still had ~3 hours of exam time, but figured I should have enough points anyway.
The following day I wrote the report which ended up having 45 pages. This took me about 4-5 hours (and I had previously prepared a template). 36 hours later, I got the “You passed” email. Yey!
I’m really proud of passing the OSCP exam! Studying for OSCP was a challenging, but wonderful experience. Overall, I spent somewhere near 250 hours preparing, but it was definitely worth it!