One week from now, I will be sweating in a lab. The OSCP, you know the one, 24 hours of ball-wrenching AD and other machines, made just for me. It will be purgatory, and I still feel woefully unready, but I’ll go for it. It’s a hill I wanted to climb for close to ten years now, so it’s only fair that I experience it and don’t chicken out. The failure is imminent, but every day in the labs, I am feeling a little more confident. Every box, every successful pwn is a thing I’m sure to remember.
Once you create a game plan, a recon plan and certain steps, stick to them. In the case of AD, it may prove repetitive (mimikatz, find a password, get onto another box, privesc again, mimikatz again, etc…), but if make a specific plan and stick to it, you’ll be fine. I made the mistake of thinking I know better than the plan. That’s when the rabbit holes kick in and stop you for hours.
Case in point: I was doing one of the AD chains in OSCP labs, and after popping the initial shell and finding the service was running as NT AUTHORITY/SYSTEM, I ran through the old usual. Mimikatz led me to a kerberoastable service account. This is when I made my first mistake: I thought there was one more step to Kerberoasting. After I had a service account password, I thought there was something else.
Why the hell would a service account be permitted a shell on any account?
Well, I was wrong, and I did not heed the plan. I got stuck for around 7 hours trying to figure out what to do with that password, thinking it must be for only Kerberos or only a specific service. It turned out it is, in fact, the password to that account, and it can be logged into!
Again, my mistake: Banging my head against a wall on an attack that I was sure was supposed to work. If the example from my first point was not enough, take another: I spent a few hours trying to pass the hash on a server that would not take it. The reason? I did not know how to do it. After reading as much as I could about NTLMv2, I found out that passing the hash is possible in RDP using mimikatz, or using impacket, but I didn’t get a reliable shell. I lost a few hours trying to make that one work, since what I could do in reverse shell would not work in RDP and vice versa.
The issue that I missed was that even with the hash, it would not crack. The password was way too long and complex for a rockyou wordlist, and the mimikatz version I had would not work in the device I was in. I kept getting errors.
It was only after a few hours of checking everything I could, I tried moving back, which brings me nicely to my third point:
This goes only for when you know your tools should work, but for some reason, they don’t. Same system I had issues with the NTLM on, I couldn’t get mimikatz to work. The tool started properly (surprisingly so, I could even run interactive mode on that box), but every time I went to dump the LSASS, it would toss an error. I was pretty much certain that nothing else would push me further, and to my credit, I was right.
What turned out to be the issue was not some super-secret setting in AD, it was the mimikatz version. After I tried all of the 2.2.0 versions that are available on Github, I was pointed to a version 2.1.1 on the Kali Linux gitlab, which not only worked, but it gave me a cleartext password I could use.
After some eleven hours of struggling, once I had the proper Mimikatz version, I burned through the final 2 machines in the AD lab in one hour. I knew the plan backwards:
- Pivot using CME and a reverse shell for the -X flag
- Catch the reverse shell using netcat
- See what permissions I had on the box
- If it was PrintSpoofable, PrintSpoof, get system
- Run mimikatz (the correct version) and grab some cleartext cred from the device
- 60 GOTO 10
If I discount all my stumbles and being dumb and not sticking to the plan and not taking breaks and banging my head on walls and not banging my head on the right walls, the lab took me around 7 hours in total. Not good, but also, from now on, I guess I know what to do and what to hunt for first.
I know some of you might be saying: “Oh, but the OSCP exam lab won’t be like that! You can’t use this plan explicitely and expect to get it in a few hours!”
And you’re right. It probably won’t be this exact lab chain, but for all of you trying to call me out, I’ll call myself out first:
It won’t be this kind of a lab chain. It will be slightly different, and I’ll bang my head on walls until my forehead meets with my spine. There will be that one catch that I will waste all of my exam time on.
Am I calling myself out before you can do it? Yes, to rob you of the pleasure of giving me that “I told you so!” speech.
Will I give it my all on the exam day nonetheless? Fuck yes. I love this shit, even though it’s frustrating and it’s like picking a lock when you have no clue what driver pins and key pins are. It’s all about the Try harder mindset. I would rather try and fail, knowing that I’ve learned a lesson, than never try at all.
If you feel like you don’t have what it takes to pass this exam, I don’t blame you. But there’s a difference in making excuses and fighting against odds. The OSWP exam is a piss in the wind. I’ve taken it twice, second time around just for the hell of it. I can crack WiFi, and I know it, but did I break a sweat? Yes. This is the same thing, only difference now is that I feel like the first time I took the OSWP exam. I’m pissing myself with nervousness. I am anxious to get it over with, knowing I still have to wait for a week. I’m considering not turning up, or trying for a few hours and giving up on the first hurdle, but that’s not the way.
The OSWP was my ballpark. I have been practicing for it, dedicated, for about 3 years. This shit, finding exploits, popping SHELLS? I’ve done it for much longer now. If you feel like you’re not ready, I don’t blame you. But if you’re gonna tell me I should give up because I’m not prepared, you don’t get it. It’s not about the result. I would love to get the cert, no doubt, but it’s about the journey. If I fail, so what? I’ve taken the steps. I will wrestle a bear that will probably maul me, but at least I will be able to say that I did my best.
Start the walk. Nothing like this is going to fall in your lap. If you want something, anything, go and take that first step off your ass, and soon you’ll be charging a mountain.