My OSCP Experience

Posted on:August 11, 2020 at 08:17 AM

I recently decided to switch my career path at the beginning of 2020 to information security. As I started digging more into the field, the Offensive Security Certified Professional (OSCP) certification was one that struck my curiosity from the start. I only knew that it was an extremely rigorous 24-hour penetration testing certification exam. Its allure drew me closer and closer the more I read about it.

The course/exam got its first major update in February 2020, intriguing me even further. The amount of course material doubled. It included new topics like Active Directory attacks, new lab machines, and overall a more cohesive experience.

It is no secret that the OSCP is one of the most coveted certifications in the field of information security. Its prominence in the industry has to many companies preferring OSCP-certified candidates when filling offensive security positions.

I had a phenomenal experience going through the rounds and passing the exam on my first attempt. Even though I do not plan on pursuing a career path in offensive security, the course has made me a more well-rounded cybersecurity geek in many aspects. The skills you learn from penetration testing are immediately transferable to many other fields.

Table of Contents

Open Table of Contents

My Background

When I was around 12 years old, I took an interest in hacking. I spent lots of time on various forums, doing script-kiddie-esque stuff without really understanding what was happening behind the scenes. I learned a lot about “what is possible” with hacking and the mindset of a hacker.

I had never even considered a career in cybersecurity until I was 19. I haven’t even heard of things like Kali and Metasploit until January of this year when I took a class on ethical hacking in my undergrad program.

I had rooted maybe 5-10 HTB boxes prior to taking the course, all of which were mostly with write-ups. My process was basic and relied 100% on launching random Metasploit modules at machines and desperately trying to match the vulnerable version numbers.

I had basic networking knowledge, a small amount of experience in Python/C, and general knowledge around Linux and navigating the command line.

Certifications: I took the CEH Practical in the middle of my PWK time — it was not helpful, nor did it provide any value add for my OSCP attempt. I also had Security+ prior to taking the exam. It’s not immediately applicable to the exam but a good starting point if you are trying to break into the industry.

Preparation

Offensive Security claims that there are only a few prerequisites before taking the course, which are namely:

However, depending on your experience level, I do plan on preparing the basics before you dive into the course. I wish I prepared more before jumping into the course so I could have use my 90-day lab time more efficiently. Here are some preparation resources I recommend before jumping into the course.

  1. Heath Adam’s (aka The Cyber Mentor) Practical Ethical Hacking course on Udemy
    • If you only have time and resources for one preparation course, this would be it. There are coupon codes floating around all the time so that you can purchase the course for about ~$15. Heath frequently posts them on his various social media channels. Twitter LinkedIn Discord Twitch
    • This course assumes you have absolutely no experience at all. I skipped much of the Linux and Python sections because those were things I was already familiar with.
  2. TJ’s Null OSCP Preparation Guide
    • This is an exact replica of the PWK syllabus —but enriches each section with links to other resources that you can use to familiarize yourself with the topic.
    • I wish I found this earlier. I found myself referencing it during the course to learn more about the topic or approach it from a different angle.
  3. Heath Adam’s Privilege Escalation Courses: Linux Windows
    • You can also find these courses for about $10-$15 with coupons.
    • You should take these after you finish his Practical Ethical Hacking course as it assumes you already have the skills necessary to gain an initial foothold on a box.
  4. HackTheBox and TryHackMe
    • You can’t write an OSCP review without at least mentioning HTB. About $10/month for a premium subscription to each service. You will ideally need subscriptions to these for TCM’s courses.
    • THM is a newer platform, I wish I found it sooner. It’s gaining a lot of traction and is better for beginners and for people who prefer to have more structured guidance. HTB’s is slightly more advanced in that it’s nearly a completely black-box penetration test, there’s no hand-holding.
    • Lastly, TJnull’s famous list of OSCP-like boxes on HTB and VulnHub
      • I’m not totally in love with the VulnHub list curation — many of the machines are felt CTF-y.
      • The HTB list is solid.

Other Soft Requirements

With zero to no experience, I set aside 3-4 hours every day for 3-4 months to adequately prepare for this exam. I would spend 2-3 hours on weekdays and 8-10 hours on most weekends.

As a university student, the 3-month summer break was an obvious time to start the course. I didn’t have the burden of school on my shoulder.

This course is not for the faint of heart and requires your full buy-in. It requires sacrifice and genuine interest in the topic. I have no doubt that this course would be significantly more difficult for individuals working full-time and/or have a family to support.

Who the Exam is For

For those wanting to pursue a career in offensive security or in a position that involves penetration testing, you’ll likely have to tame the OSCP at some point in your career. Many employers will require you to hold the OSCP or have the ability to get it after X months of employment.

For me, I did not have (and still don’t) the desire to go into an offensive security career. I took the exam so I could learn more about hacking and scratch that itch in my brain.

If you even have a modicum of interest for penetration testing and have some desire to suffer a little in the process, I think this exam is a great challenge. I learned an incredible amount about how underlying technologies work, refined my scripting skills, and learned more about Active Directory.

From a blue team perspective, I think this exam is still invaluable in that you learn “what is possible” from adversaries and the penetration testing mindset.

PWK/Lab Experience

I purchased the 90-day lab access for PWK. There are also 30-day and 60-day options, but I have no regrets choosing the 90-day option. There was a 2-week lag time from the time I purchased the course to the earliest start date — be wary of this when trying to time the course start date.

First Month

The Offensive Security admins recommended to me early on to “sprint through” the course materials as quickly as you can, so I set a goal to complete the course materials in the first 30 days. I made a ‘syllabus timeline’ to keep myself accountable. Set yourself up for success.

The real value of the course is the access you have to plethora of lab machines. There are multiple virtual networks to practice pivoting and lateral movement (including AD environments) — something you cannot practice on platforms like HackTheBox or VulnHub machines.

I also spent this time finishing the Practical Ethical Hacking course along with the two privilege escalation courses I mentioned earlier in the post.

Note: The course PDF and the course video is the same! Literally, word for word, the same. I did not bother watching any of the course videos past the first couple of chapters. It comes down to a matter of which learning medium you prefer.

If the videos are too slow for your taste, try this:

javascript:document.getElementById("video").defaultPlaybackRate = prompt("Enter your preferred playback rate:");document.getElementById("video").load();

(Credit to Justin Gardner for this)

Second Month

I compromised about 20 boxes during my second month of the labs, mostly going for the quick wins. My internship started roughly around this time and significantly affected my ability to focus. Regardless, I pushed on.

I started scanning the network in sequential order (which most people frown upon) of increasing IP addresses. In reality, you would scan the entire network and start with the low hanging fruit. But in the end, I ended up poking at every machine anyway, so I don’t think it’s an invalid method.

The IP address of the machine doesn’t have any significance in regards to difficulty. But I did notice a vague trend of the higher addresses in the range had more complexity and nuance to them. They were often pivot points to other subnets or had useful information that could be used to compromise additional machines.

A good number of the machines need a “friend” — you need to compromise another machine to grab critical information required to root the machine. This often involves finding plaintext credentials or dumping hashes + passing/cracking them. You will not know which machines need friends, but you will learn to recognize them (e.g., only RDP/SSH open and you cannot brute force). The forums are also a good sanity check to verify if the box needs a friend.

Use the forums when you are stuck! There is no shame in using the forums for hints when you are unable to push forward. The forums are generally pretty good about obfuscating hints and not giving direct answers, but can also be annoying at times. Code words are often used, here are some common ones that I’ve discovered:

I would love to add to this list if you have any to share.

Third Month

After getting all the low hanging fruit, compromising the other boxes became more difficult. I spent the beginning of the third month practicing on other platforms like HackTheBox and TryHackMe, reading more walkthroughs, and increasing my overall knowledge. ****

The PWK course material is not enough for you to pass the exam. You must have an intrinsic curiosity and use your Google-fu skills to learn more. This truth holds in the general tech industry as well. No matter what tech-related field you’re in, you will need to be continually learning and keeping up with the latest technologies.

I compromised approximately 20 more boxes on my third month, which required significantly more effort than my initial 20. I started nailing my methodology down and creating my own cheat sheets, references, and commonly used commands that I could copy/paste.

In the last week of my lab time, I started creating the outline of my exam report and re-did all the buffer overflow exercises & VulnApps in the lab.

My lab time ended on August 9th, 2020. I spent that weekend decompressing, hanging out with friends, and avoiding the computer.

Note-taking

The exam is open-note and open-internet — you’re welcome to use any resource you need. Note-taking will be critical to your success and giving you a medium to organize your thoughts in a way that makes sense to you. You don’t want to waste time on the exam scouring the internet, trying to find the right syntax to download a file with PowerShell.

I used OneNote on my host machine. I heard too many horror stories of CherryTree corrupting notes. OneNote would keep everything backed up for me and keep my notes safe. Joplin is another popular choice (which recently replaced CherryTree in Kali 2020.3).

I kept everything in one notebook for all OSCP-related material, with the sections separated by course notes, lab machines, HTB/VH/THM machines, cheat sheets & resources, and a section for my exam notes.

I used this plugin for code syntax highlighting. A bit of a clumsy implementation, but I was generally happy with it.

I used GreenShot for taking screenshots and marking them up.

Workstation Setup

Offensive Security’s official recommendation is, at a minimum: 4GB of RAM, 20GB of disk space, and a dual-core CPU. I would highly recommend at least 16GB of RAM, 80GB of disk space, a quad-core CPU. This will allow you to not worry about your computer’s hardware limitations and just focus on learning.

If anything, at least upgrade your RAM so you can feed more of it to your Kali VM. 16GB sticks will cost you less than $50. Your computer will also need to be running a test proctoring software during the exam, which will take up even more computing resources than usual.

I also recommend a dual monitor setup. They don’t have to be fancy. Doing it off a single laptop screen will be painful. I used one 34-inch ultra-wide monitor for my Kali VM, and a 24-inch monitor oriented vertically for my notes and doing research. Also, monitor arms are totally worth it — the amount of desk real estate you can reclaim is amazing.

Ergonomics are no joke. I had so much wrist pain halfway through my exam that it was nearly impossible for me to focus. Even before the exam, I was easily spending 12+ hours sitting a day. A solid desk chair was the first and best investment I made.

Lab Exercises and Reporting

There is a 5-point exam extra-credit opportunity available in the course. You must complete all the exercises laid out in the PDF and do a write-up of ten lab machines using different exploits for each.

This opportunity is now more daunting — the updated course has 400 more pages than the old PDF. I’ve heard from others these reports average 150-200 pages.

I decided early on that the reporting wasn’t worth doing for a meager 5 points. I calculated that I would likely reap greater returns if I used that time to practice more.

However, that being said, you should still try to complete the exercises and do a lab report of a few machines so you can get the hang of it.

The Exam

I scheduled my exam for about a week after my lab time ended. I made sure I didn’t have any commitments or significant obligations for the next 24 hours.

Exam spots fill up quickly. Make sure to schedule about a month in advance, especially if you are trying to get a weekend date.

I reread the exam guide in detail the night before the exam.

Sunday, August 16th**

8:00 AM: I get up naturally around this time, make some breakfast and coffee, and go for a quick jog. I did not deviate from my usual morning routine much. I make sure I have enough food, energy drinks, and coffee easily accessible for the next 24 hours.

9:30 AM: I get on my computer, making sure everything is good to go. I connect with my proctor and launch the proctoring tool. They check my ID and do a quick sweep of the room with the webcam. Pre-exam checks are straight forward and did not take long.

10:01 AM: My VPN connection pack arrives in my email, along with the list of in-scope IP addresses. You’ll also get a link to an exam control panel to revert the machines, and submit the local/proof file contents. You have 24 reverts (plenty). I quickly glance through the other instructions provided. In the background, I start kicking off scans for the other machines, one at a time to prevent network congestion.

10:10 AM: My strategy is to start with the buffer overflow machine and work my way down on descending point values. The BOF is fairly standard and nothing crazy. I miss a small step during the process and panic for a few minutes, but found my mistake quickly.

10:40 AM: Buffer overflow finished in 30 minutes! 25 points. I’m feeling good.

All the other scans were finished at this point. I jump among the remaining four machines fairly quickly. I again panic a little at this point because I couldn’t see an obvious foothold. There is so much noise you have to filter through.

12:30 PM: Something in the 10-ptr machine stands out to me. I search for a matching version, launch it, and it instantly gifts me with a root shell. This is what I expected from the 10-ptr — simple one-shot exploitation with no privilege escalation required. 35 points.

2:30 PM: I find myself jumping between the three remaining machines again, struggling to focus on any particular one. At last, I find something unusual while running an enumeration script. I got lucky with this one as I’ve seen the vulnerability exploited before in a HTB walkthrough. I find a POC on Github and get a low privilege shell.

I kick off some of my typical suite of privilege escalation scripts (LinPEAS, WinPEAS, PowerUp, LinEnum), I did the necessary due diligence manually enumerating as well, but there was nothing interesting. I start poking around other machines.

4:30 PM: I gain a foothold on the 20-ptr. This one involved a little more work as I had to exploit a misconfiguration rather than a vulnerability. I had to install a vendor-specific application so I could interact with the service.

I kick off my typical privilege escalation scripts and my regular manual post-exploitation enumeration steps. Nothing interesting. I start hopping around different machines again.

7:00 PM: I notice something weird on the 25-ptr that I missed before. That turned out to be the intended privilege escalation vector. Everything lines up and it appears to be vulnerable.

I try a handful of POC scripts from GitHub and EDB with no luck, but yet I was confident this was the correct privilege escalation vector. After about an hour of failed GitHub/ExploitDB scripts, I fired up Metasploit, loaded the appropriate module, and the machine gifts me with a root shell. Another 25 points down.

Lesson #1: Don’t be afraid to use your Metasploit allowance. Metasploit will rarely help you in the exam, so if you see an opportunity, use it or you’ll probably not have the chance to use it anywhere else. Trust your intuition here, you are probably correct.

Lesson #2: The privilege escalation vector was untraditional. The popular privilege escalation scripts would never catch it. Know how to manually enumerate, don’t use scripts as a crutch.

Lesson #3: You need to ‘waste’ some time in the labs and be frustrated, it is part of the process. This will teach you to recognize what a machine baseline looks like across various operating systems, and will allow you to spot the abnormalities quickly, which may lead to privilege escalation.

For example, after some time, a non-default binary with SUID permissions should immediately trigger your spidey senses.

At this point, I have:

Offensive Security does not state how many points you receive for a low privilege shell. It is often speculated to be half points, but it is not clear even with plenty of empirical evidence. Assuming that I get half credit for the 20-ptr, I would have enough points to pass the exam at this point.

It’s hour nine of my exam, and I’m in this weird flux zone of maybe having enough points to pass. I had to find a foothold on the remaining 20-ptr or escalating privileges on the other 20-ptr. Either of those options would push me out of the flux zone. I had fifteen hours left in my exam. I felt like it was reasonable to accomplish.

For the next five hours, I bounced between the two remaining boxes but found nothing. I take a short break for dinner and go for a walk. I come back and poke around for a few more hours — still nothing.

Monday, August 17th

12:00 AM: I go to sleep. I was worrisome at this point as I had a relatively short five hours in the morning to finish the exam.

5:00 AM: I wake up, do my usual morning routine, and get working on the exam again.

The hours tick by…I still cannot find anything. I started getting increasingly messy and disorganized towards the end. The panic sets in again. I got careless with my notes and wasn’t keeping track of what I tried already. I wasted a lot of time re-running commands.

9:30 AM: I give up on trying to garner more points. I spent the last 15 minutes making sure I gathered all the screenshots and documentation I needed for the report before the VPN disconnects.

9:45 AM: The VPN disconnects, my exam is over.

I gained ZERO points in the latter fifteen hours of the exam. It felt awful and perhaps embarrassing. How could this be possible? This exam certainly is tough and I could see why so many people need to take it multiple times. There’s a bit of luck involved in filtering through all the noise and targeting exactly what you need.

Exam Reporting

You have another 24 hours to complete your exam report after your exam is over.

Knowing that I may be on the edge of passing, I spent a great deal of effort on my exam report. I take a quick nap, attend my first day of Zoom classes in a half-conscious state, and do my exam report in between. I used this OSCP exam report template that uses Pandoc.

The report should be detailed enough that someone with reasonable experience should be able to replicate your steps. You should include commands ran, explanations, screenshots, the exploit code you used/modified, remediation, and anything else you deem relevant.

You should not include everything in the report if it provides little value. For example, there is almost no situation where you should have the full contents of an Nmap service scan.

For the machine I was unable to gain a foothold on, I did a vulnerability assessment instead. I highlighted what services were outdated, what sensitive information was disclosed, and possible exploitation vectors. I also mention remediation steps with links to updates and patches. And for the machine I was unable to escalate, I did something similar and provided steps for a possible privilege escalation vector.

My exam report was about 40 pages. You are required to:

Failing to follow the instructions will result in a fail or in a reduction of points, so I double- and triple-checked to make sure everything is exactly how they want it.

I received notification that I had passed my exam about a week after my report submission.

Concluding Thoughts

I was ecstatic to learn that I had passed the exam on my first attempt. This course and the exam has been one of the most difficult things I have ever pursued. It tested my limits and demanded everything it could from me. I sacrificed a lot, which only made it more fulfilling to achieve.

Despite the difficulty of this exam, it has also opened my eyes to the fact that this is in fact, an entry-level penetration testing certification. It is the foundation you need before you pursue the other certifications offered by Offensive Security.

Penetration testing is difficult because it requires you to understand how the underlying technologies work before exploiting it. It’s not a single, standalone topic. It is a culmination of many disparate disciplines and skills. At many times, it is as much of an art as it is a science.

My skill set and thought process radically transformed in just three short months. I felt empowered that I could surmount any challenge in the future — it just requires consistent and persistent hard work.

Special thanks to my family, friends, and all the people I met online while preparing for the exam alongside me. This support network was invaluable and kept me going when I needed it the most.

Summary