Do the BOF first as soon as the exam opens up if you can. Get it out of the way. Also, walk into the exam knowing how to find badchars in your sleep. If your box was anything like mine, this is a necessity.
Don’t get discouraged - it’s hard to pick up at first but you will get there.
Mastering BOF is all about getting used to assembly level debugging. Single step your target, look at which point it does not execute code you expect and then find out why.
I had a similar issue on my exam. had it working on the test machine after <1 hr but wasted a further 8 hrs getting to work on the exam box, eventually found the problem. pm me if you wanna discuss.
As others mentioned, the lost time and the pressure after that was too much and i failed the exam, i felt that i could not walk away for a break and ended spending almost all of the 24hrs at the desk chasing in and spinning my wheels in full brain fog mode.
I took heart from the fact that i only just fell short and (probably one user shell away), after having 0 pts on the board after 10 hrs. Looking forward to re-taking having learnt from the experience.
@AgentTiro said:
I bet he was taking a jmp esp from an OS .dll rather than the programme. Then when he tried on exam it failed because of differences in OS.
@egotisticalSW said:
Congrats! Which boxes would you personally recommend for someone starting their OSCP journey? cough
Thanks mate. I would recommend all the retired boxes to practice but focus more on Windows machines. Tartarsuace, Chatterbox, Sunday and the machines with BOF.
I am not sure you can quantify a pass by the nature of how many boxes you have owned in htb. Imho, the difficultly with the exam is how many boxes you need to pwn in 24 hrs. If it takes you 24 hrs to get a standard OSCP box as discussed in this forum, then you might struggle to get enough points. The best thing you can do is make sure you are on point with things like DEP disabled bof. You want to be sure you can get that done in an hour or so while your enum scripts are running on the other boxes. Having different scripts ready to go will help. Also, if you find you are having to google-foo basical concepts, eg how to properly enum snmp, then you are probably not ready. You should be at a stage where you can accurately enum the most common services ftp, snmp, smb, etc, in your sleep. Mastering the common tools nmap, gobuster etc is a must. I don,t think there is a enough time to be working out “how do a run this”. Most important thing is to try and enjoy. Good luck when it comes round.
Here’s what I would suggest after taking it twice and finally passing:
Joker (sudoedit and wildcards)
Jeeves (Pass the hash)
Waldo (Local file inclusion)
Poison (Tunneling via SSH)
Celestial (Crontab privesc)
Currently studying for the OSCP, and my lab time is soon expiring. I think I’ll try the exam now, but not quite sure if I should go for the exam or purchase some lab extension time.
I have rooted twenty-something boxes there, including “the big four”. I have also rooted all the domain-joined boxes, including the domain controller, and unlocked two of the three additional networks. I also feel I have BOF under control.
For those that have OSCP, what do you think? More lab time, or go for the exam?
@ghostride said:
Currently studying for the OSCP, and my lab time is soon expiring. I think I’ll try the exam now, but not quite sure if I should go for the exam or purchase some lab extension time.
I have rooted twenty-something boxes there, including “the big four”. I have also rooted all the domain-joined boxes, including the domain controller, and unlocked two of the three additional networks. I also feel I have BOF under control.
For those that have OSCP, what do you think? More lab time, or go for the exam?
I don’t have OSCP as of now. But I see like you can give a try with exam before purchasing extra lab time. At least you get to know the stuff and experience even if you fail also.