Original Intention
At the end of 2023, after fixing a vulnerability in the production ingress-nginx, I suddenly thought about how to examine business vulnerabilities from an attacker’s perspective, thereby optimizing the exposure of business network services and avoiding security risks brought by vulnerabilities. The company had CISP-related security training, but after carefully reviewing the exam content, I decisively gave up. Later, while searching for more convincing certifications, I came across OSCP-related content and began my learning journey.
What exactly is OSCP? Simply put, it is a highly challenging internationally recognized practical exam in network penetration.
OSCE3之路 - OSCP | PEN200 - 4xpl0r3r’s blog
At first, I had no idea how to make a study plan based on my actual situation, so I had to search for various guides. I remember searching very hard and finally found a life-saving outline. The Journey to Try Harder: TJnull’s Preparation Guide for PEN-200 PWK/OSCP 2.0 | NetSec Focus I spent about a week outside of work reading and looking up related terms and materials. This outline guide was excellently written, and months later, it remains my number one. Many people ask if you need to be good at English to learn OSCP. I don’t really know how to answer that. I only know that OSCP requires a lot of case studies and hands-on practice with target/real machines, and these cases are almost all in English, as are the target/real machines.
Process
Later, based on my actual situation, I started practicing on TryHackMe. Another reason I chose it was that in China, it’s convenient to get low-cost paid subscriptions through certain channels. This allowed me to gain enough knowledge accumulation buffer time for other expensive target machine tests. Although a China-issued Visa card can easily pay for other target machine resource sites, I hesitated immediately upon seeing the prices. I only knew some basic network security knowledge, but had no concrete concept of how actual attacks and defenses work. My previous external inputs were all hacker scenes from movies and TV shows, like cracking the FBI database in seconds, or the somewhat more normal but still crazy Eliot in Mr. Robot. I lacked common sense about many basic concepts, though I did know a bit about phishing and SQL injection. I was still a novice in security. How deep must one’s network/system/programming knowledge be to start target machine practice? Through later practice, I found that overthinking is unnecessary. Just start doing it, and you’ll gradually understand.
Due to a lack of necessary background knowledge, I first took some paid courses on TryHackMe, learning basic knowledge about red/blue teams, observers, wingmen, etc., and looked at some APT cases. I also consciously practiced some target machine tasks. During practice, mastering these things took far more time and effort than I imagined, and was full of challenges. I remember when I learned CCNA many years ago, I was also very confused, but I have to say that much knowledge requires many dependencies. Their official documentation was excellently written, and I enjoyed reading it. I don’t know if I read too carefully, but I even found some grammatical errors in the official documentation. When learning a task module, it took a long time at first, getting stuck on looking up words and terms. Although most terms were well explained officially, I wanted a deeper understanding, so I did extra research. I want to thank chatgpt and devv.ai, two “buddies” who helped a lot during self-study. They never get annoyed, are very patient, and are available anytime, 24/7 on-call.
Gradually, I understood why some experts are grateful for their family’s understanding and support. Without their understanding and support after work, it would be impossible to learn additional security knowledge. Sometimes, I miss the time when I was just out of college and single, when I could do whatever I wanted without so many obstacles. After practicing some target machine tests, I felt very grateful for my family’s tolerance and understanding.
Target Machine Example
Let me give a small example: the web-shell issue.
Using Kali’s gobuster dictionary analysis, I obtained the website’s API, then uploaded a local privilege escalation script via the API. Clicking the script task, I opened port forwarding with local nc, obtained a shell for the current application’s backend, and then broke through the host machine via the application itself to gain root privileges.
For details, refer to the following analysis and practice process.
RootMe by ReddyyZ | hambyhacks.github.io RootMe by N00b_H@ck3r
For the web-shell target machine test, I had no idea where to start at first. I looked up a lot of information, used nmap/nc to scan and analyze the target machine’s ports and application versions. Finally, I gave up and looked at the answer. Fortunately, many exercises progress from easy to difficult, providing a lot of groundwork. Using their product, I could feel the efforts of TryHackMe’s product manager and team behind the scenes. They also know not to discourage you from the start; they give you easy stuff first, because if it’s too hard, you’ll be scared away. Web-shell is one of the most common and simple attack methods. The road is long, and I thank them for their gradual content that always protects my confidence.
Experience
Through this practice, I’ve found that the usually obscure machine language is precisely the dagger for breakthroughs. Many rarely seen knowledge points and small details are exactly the key to breakthroughs. Facing these tricks, I often feel a sense of disorientation, as if I haven’t seen much of the world. They greatly help me, making me think of more influencing factors. In life, whether in technology or other aspects, when faced with choices, it is precisely the need for a lot of useful context to support judgment. Early erroneous technical design decisions that cause you to run around can be directly given a full and powerful analysis report before the incident. In subsequent work, I unconsciously habitually detach from the current perspective and reflect on the overall technical architecture, the security risks of the system, and the sustainability of maintenance. Imperceptibly, it becomes an occupational disease, just like a police officer who, upon seeing anyone, already profiles them in their mind. This thinking habit is quite beneficial in handling many matters. I don’t know if it’s a good thing at work; I can only continue to remind myself of my limitations and incompleteness, and always stay vigilant.
In the real world, many environments can obtain root privileges on remote servers through web-shells. For example, clicking on dangerous phishing insecure website links can compromise local Windows/Mac systems. Or visiting unknown websites that ask for input verification codes, while behind the scenes, they are injecting privilege escalation into your browser to steal related cookies. The infiltration is completely unavoidable. Sometimes I even vaguely feel that you don’t need to understand APT or much security knowledge; as long as you can use scripts, you can carry out many attack tasks. As a vulnerability fixer, I feel quite hardworking. The process of fixing many vulnerabilities is time-consuming and struggling, with deadlines measured in hours.
Postscript
Due to career and life plans, I currently have no intention of obtaining the OSCP certification. I paused for a month during the Spring Festival and then resumed. The biggest feeling is that many things I’m interested in, once I start delving into them, require more time and effort than expected. In this regard, I sometimes admire TK教主 and Livid. The process of learning OSCP has pain and struggle, but looking back, it’s quite “enjoyable.” Learn more tricks to make work more “comfortable.”
At the end of this article, I pose a small question: besides scp, ftp, http, and rsync, what other quick and convenient methods do you know to upload a package from server A to server B via SSH?
Comments