So the news is in. On the 23rd of may, merely a day after I submitted my exam I heard back from the Offensive Security team which had confirmed that I had passed the OSCP certification. I wasn’t going to write a review as there are so many good reviews out there such as:
Tulpa security: https://tulpa-security.com/2016/09/11/review-oscp-and-pwk/
Adam Brown: https://coffeegist.com/security/my-oscp-experience/
Tulpa’s was really useful before starting my OSCP and gave some really good references on where to go and what to read before starting your OSCP journey; Adam’s guide has an excellent breakdown of his lab experience. So I am just going to go over my thoughts, recommendations and advice for others who might be in the same situation as I was.
So a little background about me, I am 21 years old and have been working in IT for about 5 years now. I started out working mainly in infrastructure and progressed through into the DevOps space, during this 5 years I got to work with a wide range of technologies, tools and OS’s. I have always had a passion for security, I love both Physical and Technical penetration testing of which I aspire to build a career in these fields.
- In terms of programming, I was mainly a scripter who wrote bash/python scripts to automate some sysadmin type tasks as well as writing in DSL/YAML and ruby for Puppet/Ansible configuration management modules, mainly just using google-fu I can pick up and write code in most languages to some degree.
- I had a deep understanding and good knowledge of networking technologies, concepts and topologies. This is extremely important going into the OSCP labs especially when it comes to pivoting, IDS evasion and routing. I understood and had configured things like firewalls, routers and other networking kit as well as sometimes having to debug network connectivity and find out why things wouldn’t connect.
Red Teaming techniques
- As per Tulpa’s OSCP guide I read and went through Georgia Weidman’s book which taught me the basics of enumerating a target and simple pentesting example techniques which assimilated me into the hacker way. I also did a lot of googling around different tools and techniques in order to gain more insight into the things I had learned.
Hackthebox was also a really big help which I started gradually building up my experience and knowledge in rooting boxes. Using what I had learned from Georgia’s book I managed to fumble my way through the basic machines and as I got more confident, I managed to start trying harder and harder machines. This helps you build the absolutely crucial enumeration skills and gives you an insight on what kind of things to look for, where to start and what to try.
I had installed and played around with DVWA (Damn vulnerable web app) a few years before starting the OSCP which introduces you to the basics of web application penetration testing and walks you through some of the following key concepts:
– Local File inclusion
– Remote File Inclusion
– SQL injection
– Brute force
– File upload
CEH – Certified ethical hacked:
I wouldn’t really worry about this before the OSCP as I found it much more angled towards historical attack vectors and the business process/Risk management side of penetration testing. It is useful for your professional career but not crucial to have prior to OSCP in my opinion.
Command Line Experience
- I have been using linux for 6 years now for both personal/work use and I use command line primarily for most things (GUI’s are for chumps). I had to brush up on my windows cli knowledge but apart from that I didn’t need to worry at all about learning the command line.
- So that is a pretty high level overview of the relevant pre-requisites I had prior to the course and strongly recommend everyone getting themselves into a similar state before progressing into the course, just enough to be competent in each main area and a devotion to learning will be enough to get you started.
Course timings and Workload
60 Days Lab time
PDF Exercises and Training videos
- So I read through the PDF and spent the first week doing the exercises/reporting which in the end was somewhat benign, but I am glad I did it anyway as It gave me an understanding of what kind of reporting would be needed in the exam. Most of what was included had already been covered in Georgia’s book but I made sure to carefully go over each section and ensure that I fully understood and took in (Researched what I hadn’t come across in the book) what was covered in the PDF and the videos. I went over the Buffer overflow stuff twice as it was a big gap in my knowledge and although Georgia’s book covers it, I felt like I wanted to have a deeper understanding of it; especially as I had not had much exposure to C programming. All in all, I think the training material was extremely well wrote but I think I would of struggled to do the exam within the timeframe if I hadn’t of read Georgia’s book prior to starting the course.
Main Lab time
- So first a little word of warning, I did not find it easy. I didn’t wing it and hope for the best or rely on my prior experience to get me through the course. I worked day and night balancing a full time job and coming home to work full time. I spent almost every night of the remaining 45 or so days working until 3am trying to cover as much ground as possible. I spent the bulk of my time working in the main network and as I came closer to the exam day, I moved into the admin and dev networks. In total I managed to root 35 boxes, which I was very happy with and learned so much. Although, I was terrified before the exam because I was still learning so much, even the day right before my exam. If you are not willing to sacrifice this amount of time and don’t have more experience, I think you will struggle to get up to standard given the timeframe. You might want to just spend a year or so on Vulnhub and HTB in order to get up to standard over a larger timeframe, but i was dedicated and it was something I really wanted to do (Plus I am impatient and had set myself the goal), so i didn’t mind putting my life on hold for a few months to do something I extremely enjoyed, but there is nothing wrong with wanting to take your time with it. It is all about learning to fully enumerate a target, spending the time to properly check and go through all the services, versions and web services is crucial, rather than trying to just chuck arbitrary exploits at a server and hope for the best. It will help you so much if you learn how to enumerate and read through the data properly and develop a structured process.
On that note, something which I wish I had truly stuck to from the start rather than ignore it is, Develop a process! I can’t tell you how many times I missed something because I stopped following my process as I thought I knew what needed to be done, don’t go down the rabbit hole. Root a few boxes, maybe like 5-10 and find out what works for you and stick to that, if the process doesn’t work or isn’t as verbose as you need it to be, fix the process and amend it for next time. I can’t stress this enough.
- In the exam I had read through all the exam recommendations, guidelines and reporting techniques, so I knew exactly what was needed from me in the exam and after. When I received the exam mail I got straight to work and decided to go through the machines sequentially in
ascending point order, starting with the ten point machine. I managed to root the ten point machine within 40 minutes of getting on the VPN and my process worked like a charm, on to the 20 point machine. I decided to enumerate both the 20 point machines in parallel, following my process still, but running through it against both machines at the same time. After two hours I had lots and lots of information but no local shell, so I decided to target one box at a time just in case I was missing something. When enumerating them separately, I got a bit more information but spent another hour each on them and was getting disheartened. I thought to myself, If I can’t even do the 20 point machines I will never be able to do the higher point machines, but no, I would not be defeated. I slapped myself in the face, put the offsec try harder song on and moved on to the 25 point machine, It was the dreaded buffer overflow machine. I knuckled down and due to the extra practice and attention I gave it in the lab/prep stage, I managed to get full system access within around an hour and a half. Confidence was starting to creep back up. Next I decided to do the other 25 point machine and stuck to my process and got it within an hour. Boom! I was so happy I spent at least 15 minuets doing the root dance.
I then had to calm down, get level headed and get back to the boxes I moved passed. After thirty or so minutes of going over my notes I found I had missed something small, this gave me a clue as to what to check for and found out how to get local admin yet the exploit was not working at all. I tried everything I knew, I modified it, wrote my own, and I even used my one use metasploit token to try and get a shell but alas, nothing. I decided to bounce back to the other box and try again to enumerate it more and found something I would have got sooner had I stuck to my process. I got local shell at last. That was enough points at this point to pass the exam but I was not going to let it defeat me, I wanted that root flag. In full try harder spirit, I spent 15 hours in total going through this one box. I had done everything I could think of for priv esc, followed every guide and looked over all my notes but couldn’t find a single thing. Until I did. I found the smallest clue and had an idea that I thought would never work, but it did, after all that I had finally found out a completely new way to escalate privileges, learned a whole lot more about privilege escalation and a new way to use the privileges I had acquired.
It was a humbling and testing experience of which I truly can not describe. This goes to show that experience really is key and the more roots you get the better, but it also shows that absolute determination, an attitude to try harder and refusal to give up is also required. I jumped for joy and made sure I had all the screenshots I could possibly need with the remaining time and got straight to the work on the report. Again, I took my time and spent almost the full 24 hours making it perfect. That was that, all sent off and waiting until the next evening when I got my certification pass mark. I will say as much I was over the moon, I was also a little bit upset and feeling a bit lost that it was all over, I will miss the whole experience profoundly. I just want to say thank you to the people at Offensive Security for putting an awesome, one of a kind course together and It is an experience I will never forget. Onwards and upwards to the next challenge.