How I fucked around and found out

Well, about 2 hours ago, my OSCP exam time ran out. At this point, I should be writing the exam report, right? Well, to tell you the truth, nothing would make me happier, except for one simple fact:

I have nowhere near enough points.

Now, if I had something around 30 point, 40 points, I wouldn’t be that bummed out. But I got sixty. Sixty points, ten more and I could have had a chance. That, also, could be excused as this stuff “being too difficult.” What could I have done? I have not popped enough boxes in 24 hours. I did all I could, right?

Unfortunately, no. I could have gotten the OSCP, first try, if only for one thing: the fucking bonus points.

If you want to know more about the OSCP exam, there are links at the Offensive Security websites. I want to rant about my issues, my shortcomings, my failure.

AUTHOR’S NOTE: I know my times don’t match up, but I didn’t really look at the clock that often.

Registering an exam date and the first four hours

I registered the exam for 10AM local time yesterday. At 9:45, I logged into the admin portal, went through the setup and checks, and hopped into the lab. I did a quick port scan for the top 1000 ports, and went ahead with looking through the devices, looking for an in. Luckily, the machines are labelled, so I knew which belonged to the AD and which were standalone boxes.

It took me around 2 hours to look through everything, check every HTTP port for interesting homepages, searchsploit the most promising services, looking for an in. I did not touch the AD much, because I knew it would require a slightly different mindset and a different toolkit.

After around 4 hours of steady poking on all sides, I actually popped a shell on a Linux box and upgraded to interactive user! At that point, I started to enumerate the AD. This is where I hit my first big snag, with a few more to follow.

AD chain

The AD part of the lab might as well stand for Ass Digging, because it fucked me. Hard. It was not that I did not know how to do something, it was my dumb ass thinking I know better than WinPEAS.

After I found some credentials and logged into a first machine, I found out that I have next to no privileges. I could reboot, but I couldn’t even get information about the system. I thought something was broken. I ran WinPEAS, Winenum, and I looked through everything, trying to find an escalation path. There could be no way I misread something or didn’t think it could be done (judging from my extremely low privileges), right?

(In the business, we call this foreshadowing)

It took me ~5 hours (yes, five goddamn hours) to figure out what I was supposed to do. Now, that is not 5 hours of overall time, where I ran off, had a break or focused on some other machine, that is 5 hours of banging my head against a wall and admiring the half-empty winpeas output. So, imagine my shock shortly before 2 AM when I said “fuck this” and did what I understood from the winpeas output.

It worked first try.

It was at this point that I managed to roll through the rest of the AD lab in around an hour. Fueled by pure hatred and the DOOM soundtrack, I punched through the rest of the AD in around an hour, first NT\AUTHORITY SYSTEM to Domain Admin in 60 minutes. Why did it take so long for me to take the first step? Simple: I overthink.

Standalone machine

Something similar happened with the standalones. I missed a line in a config file. After I got user (which was not too slow, to be honest), I found out I can run one (seemingly unexploitable) command as sudo. Again, from that point, it took me about an hour of searching to find out that a process was running local-only, with an open port. SSH port forward, and voila, root shell and another proof.txt

The sad rest

For the last machines, I found next to nothing. I found some path traversal, some weak password encryption, but unfortunately, no dice. That’s about all I can say without violating the OSCP terms of service

Lessons learned for next time

After 18 hours with ~1 hour of breaks in total, 3 hours of sleep, and then 3 hours more of labbing, I can safely say I feel absolutely spent. It’s harder than anything I’ve tried so far in IT, and it may be because I really really really want the certificate, but I’m looking forward to my second try. Or a third try. One thing I will do differently, though, is grab all the bonus points I can. Such a shame to let 24 hours of trying go to waste because I was lazy throughout the year. I also need to practice my web application attacks. I am not as skilled in web and GUI applications as I feel in the terminal-only ones. I may hate it, but that’s the way it is.

Second lesson: Don’t start in the morning. I am not an early riser, and even though 10AM is not really “early-riser time”, but I got into my groove first at 10PM. Next time, I’ll schedule it for 7PM or something. Better than burning for 18 hours and getting 3 hours of sleep. I’d rather get a few hours of work done, get a good night’s sleep and then get into it for a long day’s work. That way, I can prepare, have a calm working environment, maybe some scented candles, you know?

And I will try harder.

The last paragraph took me 40 minutes to write. It is time to go rest. Good night, y’all!