Today, a student told the information networking study guide community that they failed their OSCP exam because they used the popular Linux enumeration tool linPEAS.
On Linux and Unix targets, the well-known enumeration script linPEAS looks for potential paths to increase privileges.
After looking over their exam report, we discovered that since this automation is a part of LinPEAS, we regarded a portion of the exploit chain they provided as an automated exploit. Utilizing a sudo token vulnerability, LinPEAS generates an executable binary and runs background tests on it. If the executable works, the script will tell the student what command to use to get a root shell and raise their privileges.
Because of how LinPEAS was run, it automatically used a flaw that led to a shell. That is a given. Given that this is an automated exploitation, this is against the guidelines.
Although LinPEAS is also a highly-liked program, not all users are aware of this more recent addition, automated exploitation. The student made an honest mistake; they didn’t try to change the test or cheat in any other way.
We evaluated the exam after the impacted student brought up the issue, and we made the decision to provide the points necessary for the student to receive a passing grade in this particular example. Due to the complexity of the situation and our lack of malicious intent, we made this decision as a one-off.
We wanted to discuss this in the open because we don’t want there to be any further misunderstandings. We continue to maintain that automated exploitation is not permitted in the OSCP exam. Automated exploitation tools are not permitted, and you won’t receive points for the flags you get using them.
Let’s review the scripts.
This entire scenario serves as a crucial reminder of the need to understand what your tools and scripts do before using them. As a pen tester, it is your job to take responsibility for anything that goes wrong and hurts a client during a live engagement.
The makers of tools frequently release updates or alter how the tool or script functions. Even new features that we might not be aware of are added by them. We emphasize in our training that you should be aware of the expected results of any tool you use before using it because this is a fast-moving environment. To know what it will do, you might need to run it first in a controlled setting.
Running a tool that you don’t fully understand or are aware of could harm the systems of your clients as well as your reputation or relationship with them in a real-world assessment. We rely too much on some of the tools we use frequently, so it’s crucial to verify the changes that take place when the tool’s creator updates it. In a real assessment, the results of the tools you use are your responsibility.
Instead of the real world, a lab setting like PWK is a better place to learn this lesson. The OSCP functions as a miniature simulated assessment and ought to be handled in the same way as an evaluation of real production systems.
Consider the exam limitations as a contract dictating what you are and are not permitted to do. You need to understand what you are doing and why; passing the exam is not just a matter of going through a set of instructions and using specific tools.
Conclusion
Please be aware that instruments that do automatic enumeration are permitted during the exam if you intend to take the OSCP in the future. Tools that carry out automatic exploitation, however, are not permitted during the exam.
Regarding linPEAS, the author has informed us that the script does not have any auto-exploit features. As long as you don’t use versions of the script that let you auto-exploit, the tool is safe to use.
