I’ve had a few requests to share my OSCP template. I was wary of doing so earlier, but this is actually the same report I would use if I was doing a commercial penetration test, and is 100% made myself from scratch, so here it is.
Disclaimer: I’ve removed all references to OSCP and Offensive Security from the template. The icons were from a royalty free website. Use your due diligence in using this template for any commercial engagement or submitting it as part of any exam. I make no guarantees that this will be accepted by Offensive Security or your client. I do not know Offensive Security’s stance on sharing report templates. I strongly advise using this as a guide only.
While at an Airport bar in Singapore at 0200, March 31st, killing time with someone I met on the flight over from Sydney, I connected my phone to the dodgy free WiFi that caused my Email client complain about being man-in-the-middled due to the captive portal supplying it’s own untrusted certificate. I was about two thirds into an all-nighter for the third weekend in a row, and had just began a 6 hour layover, before a second 4 hour flight to Macau. After accepting the terms and conditions to connect to the network Suddenly my phone started vibrating frantically, echoing 4 or 5 different notification tones as it connected to the internet after 9 hours of going dark. New email, new SMS message, new Discord message, multiple Facebook chats. I checked my email first, expecting the usual junk. The list of emails loaded, and it took me half a second to realise what I was looking at: something that I had been anxiously waiting for and constantly checking my email for since 6 nights earlier:
As I read the words “We are happy”, I took a second to make sure that it wasn’t the lack of sleep playing with me. I blinked a few times and slowly realised that I had achieved something that had been hanging over my head since nearly a year prior, and something I hadn’t heard of many others doing – I passed the OSCP exam on my first attempt. I opened the email just to be sure, before hurrying over to my travelling companion, who was at the Wifi kiosk getting her own access sorted out. I must have sounded insane as I explained that I just recieved confirmation that I had passed an exam and that I didn’t know if I’d passed or failed and had been waiting for an email to find out for nearly a week and that this was a really big deal.
“Congratulations!” she said, entertaining my excitement, and offering me a high-five.
“We’re getting another round”, I announced. “I’m paying”
“Dear Craig, We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.”
What is the OSCP?
It can be a bit confusing trying to understand what is involved in the course and the exam, so I’m going to try to clear a few things up here:
PWK is Penetration Testing with Kali Linux. This is the course, which includes a downloadable PDF manual and acompanying tutorial videos that follow along with the PDF, and access to the Labs (VPN access to a network that houses around 50 vulnerable hosts). It also includes a single exam attempt.
OSCP is Offensive Security Certified Professional – this is the certification that to gain by successfully passing the exam.
You cannot take the OSCP exam without enrolling in the PWK course.
The PWK Course includes 30, 60, or 90 days of lab access.
You can renew your lab time for 15,30,60, or 90 days. When you renew your lab time, you get an additional exam attempt, however you can not accumulate exam attempts, so you may want to use your exam attempt before renewing your lab time.
You can purchase an additional exam attempt without renewing the labs for a lot cheaper.
To achieve the OSCP certification, you have to sit an exam where you have to compromise several hosts within 23 hours and 45 minutes. This exam is done where ever you like (at home) – there are no options to take the exam at an exam center. At the conclusion of the exam, you have another 24 hours to complete and submit your Exam Report – which should read like a professional Penetration Test report, and include screenshots and instructions, showing how to replicate the path to compromise the host. The exam is proctored, meaning whenever the exam VPN is active, you willbe monitored using your web cam, and your computer will be monitored using a screen monitoring application. This must be set up before you get access to the exam VPN.
I’d heard about the OSCP in 2017, in between semesters during the last year of my Network Security degree. At the time I was very interested, but was focusing on finishing my degree. I then was lucky enough to be a part of the scholarship for the Cisco CCNA Cyber Ops course, which took the next few months of my time as I attained that certification. I found Cyber Ops to be an extremely well thought-out course, with very accurate and up-to-date material. Once I was done with that, my employer agreed to pay for me to take the OSCP course. This was around May 2018. I got access to the course material and the lab VPN.
I worked slowly through the Course Material while occasionally taking breaks to work on compromising hosts in the lab. I didn’t realise how much time working on the course material would actually take, and I didn’t get around to finishing them until a week before my exam, in March 2019, during the second time I’d renewed my PWK lab.
I’ve read a lot of posts and spoken to a lot of people who have taken the OSCP exam, and everyones experience was different, and also very valuable to learn about. Some of my experiences contrast with a lot of what I’ve read and heard, so, I’ve compiled some of my main thoughts about the PWK course and the OSCP exam.
I didn’t use Hack the Box or VulnHub before starting the course
The first and last time I successfully compromised a host was during my time in the PWK lab. I did have a look at resources like Hack the Box and VulnHub but I never got around to using them. Many reviews and posts I’ve read do suggest using these resources, and I agree, as the lab time is expensive. However, for me, the PWK lab was enough to prepare me for the exam, so I don’t believe you need to spend much time outside of this as I’ve seen others suggest.
I also didn’t watch any IppSec videos until after I’d submit my exam – however I wish I had. His approach and methodology take all the guess work out of attacking a box. I do suggest watching some of his videos when you’re not working in the labs.
I submit the lab report with all the course exercises completed
This is what saved me. Do the lab report.
You’ll be told that by submitting a Lab Report along with your exam report, you can gain 5 extra points if your exam report doesn’t win you enough points to pass the exam. Effectively, there are 105 points up for grabs, and you only need 70 to pass. It was initially unclear to me whether the Lab Report was required to be part of the same document as the Exam report or not – It’s not. It should be a separate document with the course materials as an appendix.
The Lab Report requirements are as follows:
Report on 10 separate lab boxes, including how you compromised the box with screenshots.
For each box, you have to use a separate exploit/vulnerability. I was sure to include a variety of different methods to attack and escalate privilege in the boxes that I included in the report, including Metasploit, brute forcing passwords, kernel exploits, weak services, RFI, LFI, etc.
For each of the boxes, you need to include a SINGLE screenshot showing the IP address (ifconfig/ip addr/ipconfig), whoami, and proof.txt contents. I also included the output of a ‘hostname’ in the screenshot for good measure. (I didn’t realise this requirement and had only included screenshots of the proof.txt contents, so I had to scramble to complete this after my exam before submitting my reports.)
Appendix with each of the course exercise, answered/attempted with screenshots and explanations.
In the course material, after each chapter there are a handful of exercises, about 60 or 70 in total. Many of these require you to complete while you have PWK lab access to work as you need to complete exercises on lab machines or on the lab network. Some also require you to conduct a certain attack or scan on lab boxes, but you may have to work out which boxes are vulnerable, which can be very difficult and time consuming to work out. Some questions are very vague or unclear on what is required, for example, it may ask you if you were able to conduct a certain attack on any boxes in the labs. In this case if you’re unsure, check the Offensive Security forums, or, show your attempt and detail your thought process. Do the lab report.
Many forum posts and blog post’s that I’ve read, and many people I’ve spoken to, have said that they didn’t believe that the amount of effort and time required to complete all of the exercises is worth the extra 5 points on the exam. Many people are also very excited to start rooting boxes and treat the PWK course as a race to get as many boxes before the lab time runs out. Some of these people have also admitted that they may have passed exam attempts that they had failed, had they submit the lab report. Do the lab report.
Another good reason to complete all of the lab exercises before working on compromising hosts, is that the PWK material teaches nearly everything that you need to take down the hosts. You will need to do a lot of your own research as well, however there were times where I spent a while stuck on the lab hosts before deciding to go back to the exercises, and found was I was looking for right in the course material. Do the lab report.
I didn’t use the OSCP report template
When you begin the PWK, you’re given a report that you can use for your Lab Report and Exam Report. There was conflicting information on whether or not you had to use their report or if you could use your own, something Offensive Security should clarify. I didn’t like theirs at all, for a number of reasons, so I developed my own template that I used for both the Lab Report and the Exam Report.
My report template was as follows:
Cover Page Table of Contents Executive Summary – Key Recommendations (things like implement monitoring, patch management, vulnerability management programs) – Methodology (my approach, based of the Cyber Kill Chain) – Information Gatheriong (list of hosts, including hostname, IP, open ports) – Penetration Test (each host broken down into the Kill Chain methodology, with information and screenshots for each stage of the Kill Chain, also included a summary, vulnerability scoring, and remediation recommendations) – Housekeeping stuff (cleaning up) – Appendix A (all course exercises, grouped by topic and then numbered the way that they are in the Course Material, for example. Wireshark, 22.214.171.124, 126.96.36.199, etc) – Appendix B (Exploit source code)
I didn’t compromise 40 boxes in the labs before taking the exams
Some posts I’ve read were by students claiming to have compromised 40+ lab boxes. In contrast, I compromised about 14 all up, and they were all in the DMZ network. I took down one of the ‘big 4’, and some others that I considered to be a bit harder. The point is, I don’t think it’s imperative to ensure that you compromise every single host, so long as you get experience working on different operating systems with different attack vectors and methods of compromise.
Every box I compromised, I put together a full report on, using my own customised template. This helped to reinforce my reporting methodology and also gained me the 10 boxes required for me to include in my lab report.
My exam was proctored
My exam was proctored, meaning there was someone watching my screen and webcam the entire 24 hours during my exam. The proctor changed about every 8 hours. The proctor asked me to move the web cam around my room to inspect my surroundings. I also had to run an application called Screen Connect on my computer so that the proctor could watch my screen. I had a few issues with the proctoring software:
Firstly, the proctor advised at time that they were unable to see my webcam feed. I tried refreshing the web application that was watching my webcam, and had to restart my computer a few times. This was frustrating as it interrupted scans and bruteforce scripts I was running, and I had to set up my environment again each time I restarted.
I also had problems with the Screen Connect application – it seemed to lag my computer when I had all 4 monitors running, so I turned two of them off, which wasn’t ideal as I’m use to using at least three (a screen each for web browser, VMware, OneNote/Report).
Another cause of frustration was something that I couldn’t prove, but read a blog post where someone else reported the same issue while Screen Connect was running: it intermittently broke copy+paste between my host system and my guest system (VMware Tools). I asked the proctor about this, but was just given the copy/paste response the Screen Connect software can’t control my computer and if my computer meets the minimum specifications, there shouldn’t be an issue.
I did email Offensive Security to report of the time I’d lost due to the proctoring, and they granted me an additional 90 minutes of exam time. Unfortunately, an extra 90 minutes at the tail end of being up for 26 hours was more of a punishment at that point in time, and I didn’t end up making anymore progress during this time.
I recorded my entire exam
I used Xsplit Broadcaster to record my screen the entire time during my exam and save it to my hard drive. I did this to take the pressure off myself during my report, in case I forgot to get a screenshot or forgot how I attacked a host. This made me a lot more relaxed during my exam, knowing that I would be able to go back and find any commands run or gather screenshots during my report. If you’re looking for a free tool on windows, have a look at OBS.
My exam was scheduled 9AM on Friday the 22nd of March, 2019. I was very close to rescheduling the exam, because I had a few very busy weekends prior: Mum’s 60th, and we had family from NZ and the UK staying with us all weekend, and the following weekend I was at BSides Canberra all weekend, which included a few very boozey nights with no sleep as I stayed up for around 26 hours playing in the Incident Response CTF. I guess that could be considered practise for the OSCP exam -_-. As the date approached, I told myself that I should just take the exam, not suring how I would do, but may as well give it a try, as the following weekend I’d be flying out to Macau for three weeks for a threat hunting engagement.
8AM – woke up, got a few V energy drinks and some snacks.
9AM – check email. Nothing from Offensive Security to start the exam.
9.15AM – get in touch with Offensive Security. actually, my exam starts at 10AM. Oh.
10AM – Get access to the exam. Read through instructions. Start working on the Buffer Overflow host. Watched the Course Material videos on the Buffer Overflow as I had to re-learn how to do it.
1/2PM – Took down the Buffer Overflow box. 25 points.
6PM? – Not sure what time actually, but at some pointI took down the 10 point box.
9PM – Someone came over to pick up some building material we were selling. It was heavy and took about an hour to help them pack it into their van.
10PM – realised I hadn’t eaten all day, my sister and I went for a trip to McDonalds as I wasn’t bothered to make anything.
11pm – Some time around here i believe I took down one of the 20 point boxes. After gaining the initial foothold, I fired Metasploit at it to gain a low priv shell. I was able to use a publicly available vulnerability to escalate privileges.
1am – 11am – For what seemed like forever, I worked on the other 20 point box. I managed to gain a low priv shell, and began the long, slow process of attempting privilege escalation. I must have thrown about 8 differnet exploits at it, then iterated through all of the services, applications, and security configurations without getting anywhere. I still have no idea what I was missing, and would love to know what it was.
I didn’t end up spending any real time on the 25 point box, as I knew that if I could just get root on the second 20 point box I’d have enoug points to pass. Without getting root, I was 50/50 on whether I’d had enough points.
The way I’d worked it out: 25 points – root (25) 20 points – root (20) 10 points – root (10) 20 points – low priv (10? There is no answer on how many points a low priv is worth, though many speculate it’s half). 25 points – didin’t attempt (0) 5 completed exam report (5)
So I had to gamble on wether or not Offensive Security would be satisfied with my Lab Report, all my exercise answers, and my exam report, AND that they would award at least 10 points for a low privilege shell.
12PM-5PM I think I may have slept for a while.
5PM-8PM – Started working on my Exam Report.
9PM -went to my girlfriends place, then we both went down the road to AM//PM at Crowbar to see Slaves (who were awesome), and some friends and have a few drinks
11.30PM – drove back to my place
12.30AM-5AM – my girlfriend slept while I worked on finishing my Exam Report. Recording my exam was a big help, allowing me to go back and collect screenshots and recall how I attacked the hosts.
5.30AM – submit my Lab Report and Exam Report and received a confirmation email.
5AM? – slept
Days went by. I had no idea if I’d passed or not, and was willing to accept if I hadn’t. I started reading may posts about peoples exam experiences, many people reported that they received their results in around 24 hours. I nerviously checked my email every few hours, including during the middle of the night. Every vibration of my phone gave made me anxious. Friday arrived with no word. Offensive Security advise that results will be recieved within 5 business days of submitting the reports. I emailed Offensive Security and the replied saying that they were still marking my exam.
Saturday30th March – about to board a plane for Singapore, en route to Macau. I check my phone one last time before the 8.5 hour journey. No word.
Sunday, 31st March – 3rd weekend in a row with no sleep (I can’t sleep on planes, and now I have a 6 hour lay over in Singapore). Connect to the airport WiFi, get the email that I passed.
My Credentials Prior to starting the PWK
Many people are interested in what experience is required before starting the PWK/OSCP, in my opinion, the PWK course teaches you nearly everything that is required for you to pass the exam. You will have to do some of your own research, however I don’t believe you need must more than decent computer and TCP/IP experience, and know your way around Windows and Linux. Anyway, here is me:
Education – Certificate IV Database Administration – Diploma Systems Administration (Networking) – Bachelor of IT Network Security
Certifications – CCNA Cyber Ops
10 years working in IT – Helpdesk – Web Developer – Systems Administrator – Security Analyst
After a late night session, I just took down Oracle! It was an easy one, but it took some time as I got stuck on working on an exploit that I eventually didn’t use in favour of a different one.
Don’t only check Exploit-DB, look at Github as well for exploits.
Sometimes exploits can only be run once, if you mess up, you have to revert
Remember that 4444 won’t always be allowed out of the targets firewall
There some issues when running a python script I ‘wget’ from Exploit-DB. Turns out the line breaks were not formatted correctly for Linux. A simple ‘dos2unix’ command fixed this. https://en.wikipedia.org/wiki/Unix2dos
Make sure you’re running python scripts using python, not bash!
My prediction was incorrect – the domain is still under control of the prankster, lets just call him Jack (because that’s his name). Jack has apparently reached out to Scott Morrison offering to transfer it back over to him. The firm he works for have also made a press release. I have a feeling it borrows a bit from my article, but hey!
So Prime Minister Scott Morrison forgot to renew his domain name scottmorrison.com.au and some dude from Melbourne purchased it and is pointing it to a WordPress installation. The simple website is just a single page with an image of the PM with Lustra’s ‘Scotty Doesn’t Know‘ obnoxiously playing in the background, sparking flashbacks of early 2000’s MySpace days.
He boasted it on his personal Facebook page which has lax privacy settings, but I don’t think subtlety was part of the plan here. Even so, I’m going to sanitise all screenshots.
A whois lookup on the domain name shows that it was purchased by the same person whose Facebook account made the post:
Soon after, the contact details were changed from his personal gmail to a seperate one set up especially for this domain.
I’m not sure if he understands AUDA’s policies concerning .com.au WHOIS data, because changing the email address isn’t making him any more anonymous. For those playing at home, a .com.au is always tied to an ABN or ACN.
I also checked to see if this domain actually did belong to ScoMo:
Looks like it.
That’s pretty funny! What else can he do with the domain?
Well, now that he controls the domain name, he can set up a catchall mailbox and wait for emails addressed to the PM to come in. He could then enumerate which email addresses were signed up for which services, and then initiate password resets. He could also leak sensitive information (even inadvertently), possibly calendar and contact information for other world leaders depending on how the domain was set up and used previously, So, it’s actually kinda serious. Gabor, a cybersecurity expert, posted in his blog in August about the dangers of letting a domain expire and then fall into the wrong hands.
Of course, he could also impersonate the Prime Minister by setting up an email address under @scottmorrison.com.au and sending a mean letter to the POTUS, so there’s that.
Oh. So, what can the PM do about it?
Unlike .com, which is the wild west of domain names, .au domains are governed by auDA, who outline the eligibility policies for .au and .com.au domain names. Such policies include anti-cybersquatting measures (for example, buying a domain for the sole purpose of selling it to someone else), and also requiring a genuine need for registering the domain, which should be in line with the purpose of the ABN required to register the domain in the first place.
For a normal person like you or I, we would have to lodge a dispute claim with auDA, stating that the domain wasn’t registered in good faith (it would be very hard to argue the point). It’s not clear how effective or costly this is, a Whirlpool forum discussion discusses .au cyber-squatting at length.
Of course, he’s not like us, he’s the Prime Minister. I suspect Scotty now knows, and will have contacted the right people to have regained control over the domain by COB tomorrow. I imagine our prankster will get a stern talking to, but hopefully not much else. And please, DON’T FORGET TO RENEW YOUR DOMAIN NAMES!
So I renewed my OSCP Lab time for another 90 days, with the goal of spending a lot more time. Well that hasn’t worked out so far, but I’ll keep at it.
Something I learned about the atftp service – the ‘path’ switch doesn’t seem to work, at least not for me. https://linux.die.net/man/8/atftpd according to this page and the OSCP Manual, the following should start the TFTP server with /tftp as the directory.
atftpd –daemon –port 69 /tftp
Anyway, it wasn’t working for me, and I couldn’t figure out why:
until I found a helpful forum post that suggested to check /etc/default/atftpd
I guess that the path flag wasn’t overwriting the default path of /srv/tftp. after changing the path, it worked.
and Aura Animi is playing with Alpha Wolf at the last ever Hot Damn! back on Oxford Street. This will be the 5 time I’ve played Hot Damn, the 4th Band I’ve played in at Hot Damn, and the 4th Hot Damn Venue I’ve played. I’m sure it will come back… one day..