My OSCP Journey - A Review

My OSCP Journey - A Review


Pre-Preparation:

Hello All, In this post I will provide you an overview about my OSCP journey. In order to gain some hands-on experience before enrolling, I started practicing on HackTheBox platform. Having done around 50 boxes, I finally felt ready to enroll into the PEN-200. I would suggest try to complete each and every box from the list mentioned below, before enrolling as your pre-preparation work.

OSCP Like boxes: TJnull’s Preparation Guide for PWK/OSCP

I enrolled for OSCP and completed all the PWK exercises and labs within 45 days. After completing all the coursework, I started preparing my notes in structured and organized way. The advice for you here is to make your own notes as it would really help you in your OSCP exam, you’ll thanks yourself later! What is important in doing all this is "BUILDING YOUR METHODOLOGY."

Build Your Own Methodology

If you have the time, I would strongly recommend completing TJ_Null’s list of HackTheBox OSCP-like VMs.

HackTheBox :

Below is the list of the machine that I solved from HackTheBox. 

HackTheBox : 1
HackTheBox : 2

Note: It doesn't depend on the number of machine you solve but it's all about building your own methodology.

Tryhackme:

To practice and gain hands-on experience , I would highly recommend :

1)Active Directory:

https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course

2)Privilege Escalation:

  • For windows:

https://tryhackme.com/room/windows10privesc

  • For Linux:

https://tryhackme.com/room/linuxprivesc

3)Buffer Overflow:

OSCP Exam:


The advice:

When you get to the exam, machines will be related to things you learned in the lab. And you will have 24 hours straight to work on them. The key to the lab is to focus on how the exploits work, how the enumeration works. Take your time on them. Fully understand why you did what you did to get that box. The exam will come naturally after that.

When it comes exam time, make sure you get a lot of rest the day before. Don't hack anything at all. Take a mental break.

·       Stay calm
·       Take breaks frequently
·       Stay structured
·       Sleep
·       Understand the exploit

Have a structured approach. Spent maximum 2 hours on one machine, if you got stuck or making no progress then move to another. But make sure to keep documenting your progress which could save your lots of time. For me Try Harder means take breaks, document your progress, and try again with fresh mind. 

Reporting:

On next day, I submitted the report as per instructions. Strictly follow offsec report submission standards take a minute to read it and understand the procedure. Surprisingly, I didn’t have to wait long and get my result on next day. I’ve successfully obtained the certification! 


Thank you for reading the entire blog! You can achieve OSCP certification as long as you put the effort and time.

Feel free to provide me the feedback. And I hope you enjoyed it.

Resources:

·        TJ_Null’s list of Hack the Box OSCP-like VMs
·        OSCP Exam Change






Comments

Post a Comment

Popular posts from this blog

API Information Disclosure

Image
API Information Disclosure Hello All, In this post I will provide you an overview about how to exploit Broken Object Level Authorization vulnerability. Definition: Attackers substitute the ID of their own resource in the API call with an ID of a resource belonging to another user. The lack of proper authorization checks allows attackers to access the specified resource. This attack is also known as IDOR (Insecure Direct Object Reference). OR APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user. Lets say our vulnerable website is target[.]com Steps I did to takeover all the accounts on the test platform. Since I was already registered user on the target website. I did functionality check of the reset password feature. Reset Password Function I added my email id and user id  and int
Read more

Introduction to IDOR

Image
Introduction to IDOR Hello All,  In this post I will provide you an overview about how to exploit IDOR vulnerability. What is IDOR?  IDOR:(Insecure direct object references) Due to improper validation of userid at Server side leads to Change of content. OR without any validation mechanism which allows attackers to manipulate these references to access unauthorized data OR A user can successfully request access to a webpage, a data object, or a file that they should not have access to. IDOR Attack Scenario: Case 1: Deleting other user content: 1)Victim post something on website which has a unique ID Eg: 19 Attacker: 1)Attacker creates a post which has a unique ID of 22. 2)He tries to delete his post by intercepting his deleting request. 3)In request, Change ID from 22 to 19 which results deletion of victim post. Case 2: Changing other user profile picture: Attacker: 1)Intercept the upload image request and find the Unique User ID of attacker. 2)Change the ID of attacker to victim ID. 3)
Read more