Preparing to take the OSCP Certification exam can be difficult. It requires time management and the "Try Harder” mindset. Students have been asking about how and what to do in preparation for the new OSCP Certification exam, which includes Active Directory (AD).
We want to share our experience to help you get to grips with the new exam environment. To help you prepare better for the exam, we will cover exam changes, findings, and recommendations.
Exam Changes
We will start by highlighting the changes made to the exam. OSCP Certification Exam Change is highly recommended. Both articles provide all the details you need about the new format exam.
Point System
The new exam structure will retain 100 points. The point distribution has undergone significant changes.
- Three stand-alone machines can earn up to 60 points. Each machine has a maximum of 20 points. It can be used to access low-privilege information (10 points) and privilege escalation (10 points).
- 40 points are given for the complete exploit chain. Only the domain's full exploit chain is eligible for points.
- Bonus points increased by 5 to 10 points
- To pass the exam, students will need to still obtain 70 points.
Active Directory
The domain set comprises three (3) machines, one (1) controller, and two (2) clients. To receive points, you will need to use all three (3) machines. You will lose zero points if you fail to exploit any one (1) of the machines.
Stand-Alone Machines
Three (3) stand-alone computers will replace the five (5) machines in the previous exam structure. To obtain full points, each stand-alone machine must have both low-privilege and escalated-privilege access. For stand-alone machines, there will be partial points, unlike with AD.
Buffer Overflow
Buffer overflow is now a low-privilege attack vector. To get twenty (20 points) from a machine with buffer overflow, privilege escalation will be required. It is not guaranteed that every exam set will contain a buffer overload machine.
Bonus Points
The lab report submission will earn you ten (10) points. For more information, please refer to the Lab Report section.
The Exam Experience
Exam
There has been little change in the way you can connect to the exam environment or get started on the machines. The Control Panel is still the best option. Based on the Control Panel information, it is easy to see if there are buffer overflow machines that can be exploited. If you have taken the exam before, some of the details about the buffer overflow machines may differ from your previous attempts. Therefore, make sure to carefully read the Control Panel.
Approaching Stand-Alone Machines
These machines are independent from each other so the approach to them is almost the same as for the old exam. All of us started by scanning the ports to determine which hosts we were attempting to enumerate. Once services have been identified, the approach becomes familiar.
Only the buffer overflow was a slightly different experience, but it wasn't too far from our previous experiences. The attack begins with the development and execution of an exploit against a vulnerable server. This is usually the end of the attack. However, this was not the case in this instance. The experience is the same as with other standalone machines. You can enumerate and escalate privileges from your newfound access.
Conclusion: There wasn't enough difference between the old and new exam structures. Although the Buffer Overflow machine is slightly different in its entirety, the way it's approached remains the same.
Taking over the Active Directory Set
This is the part we expected to be different. After all, dependencies weren't a part of the initial exam experience.
Despite this fact, the process of starting is the same as for standalone machines. To establish our first foothold, we perform the same enumeration. We begin to gather information about the machines and soon discover which machine is the domain controller.
The approach we take is very similar to the one used for stand-alone machines. Once we have identified the services that are available, we start fingerprinting to find out what might be on those services. Initial access for all of us was the same as a vector we might have found on a standalone machine. Privilege escalation was a similar scenario. Nothing is new territory. There has been little change from previous attempts. Although there are many machines that can be considered at once, we don't have an overwhelming amount of options in terms of what could be directly attacked.
Only once the first machine is compromised, the experience changes from the previous ones. This is where post-exploitation comes into play. This part of the process is important because it allows you to experience everything that was possible in the labs. However, the path to success was not always clear. Sometimes the path to the future was found within the host. Sometimes, the key pieces of information that we needed were located in the domain.
Our newfound information was a similar process to getting to domain admin. We could use the information or access we gained to discover new services or gain access to previously locked-off services or gain access new systems. This eventually led to complete compromise and a huge root dance.
Main Takeaways
Here are some main lessons we learned from this experience.
- Do not worry about the standalone machines. At least, not as much as you did for the previous exam.
- Don't overlook the forest when approaching Active Directory machines. Domains allow computers to communicate with each other. If nothing else works, you will need to use information from one machine to another.
- The bigger picture is important but doesn't forget to do the standard post-exploitation steps for each computer in the domain. You should also look for interesting services. If you are stuck, make sure to note that you can return to it.
- You should have a plan for your exploitation, enumeration, and post-exploitation. You can use checklists and enumeration template templates to help you stay on track when searching for the right information. It can be difficult to find the right information when there is so much. Your approach will be more structured if you organize the information.
- It is important to manage your time. Avoid going down too many rabbit holes and automate as much of the enumeration (not exploit) as possible. In combination with the checklist, a few enumeration programs can help you save time.
Luke, remember your training! Pre-made scripts and checklists are great. However, you should keep your personal experiences from the course as well as the labs in consideration. You can add an important service you need to enumerate, or an attack vector that you have used if it isn't already included in a checklist.
As always, enumerate, enumerate, enumerate.
Pick Your Approach
There are two options for you to choose from when taking the exam. Below, we will discuss both the benefits and drawbacks of each option.
It is up to you, the examiner, to assess your strengths and weaknesses.
Attempt Active Directory
Advantages
- All you need to know regarding AD, including enumeration and exploitation.
- This could take less time than using 3 separate machines. This should not take more than 4 to 5 hours.
- 40 possible points could be obtained by exploiting the AD set.
Disadvantages
- This could prove difficult for students who are unfamiliar with AD concepts. This could be even more if students don't take the time to study AD and practice it in the PEN 200 labs.
- The Domain Controller and the entire AD chain must be used. You cannot earn partial points.
Submit a Lab Report
Advantages
- Students who have completed most of the PEN200 lab machines, as well as the subnets, can more easily work on the stand-alone problems.
- Using all three stand-alone machines can provide up to 60 points.
- One can avoid AD entirely and submit a laboratory report for an additional 10 points.
Disadvantages
- These 3 separate targets will likely require additional steps and may take significantly longer to exploit than the first.
- AD is a vital part of modern pentesting.
- It can be difficult and time-consuming to write a Lab Report. This is because you have to document every lab machine and all exercises.
Lab Reports
Students can now earn up to ten (10) bonus points by submitting their lab reports with the exam documentation. The lab reports don't have to be long. It is expected that students demonstrate the steps of exploitation. Screenshots are acceptable. It is not necessary to include detailed commands outputs or enumeration of steps. The Lab report should not exceed 100 pages.
Lab reports must contain the full exploitation of at least one Active Directory set, including the Domain Controller, to be eligible for the full ten (10) bonus points. Lab reports that do not include a fully exploited Active Directory will be accepted until then.
Each proof.txt submitted within an AD set will be counted as one machine as long as it meets all requirements. Visit PEN-200 Reporting Requirements for more information on the lab report and exercise requirements.
Conclusion
After having the opportunity to experience the OSCP Certification exam again, but this time with the new exam set, it was a unique experience that we both concluded that there are no surprises, given the current content.
If you are planning to get OSCP Certification you can get the best online training through PassYourcert's world-class trainers.
To send blgos for Education Blogs Write For Us category you can send blogs at fastmoldtech@gmail.com