OSCP: Experience and Tips
I recently passed the Offensive Security Certified Professional exam and would like to offer some thoughts and potential insight to anyone else looking to take on the challenge. Before even enrolling in the Penetration Testing with Kali Linux (PWK) course, I scavenged the internet for blog posts like this and found some very useful information and tips in the process. Hopefully, someone can use some of this information to make their goal of becoming OSCP that much smoother.
TL;DR – The road to getting becoming OSCP is obviously very difficult, but not worth “fearing” as some may. Don’t be afraid to take time off during PWK lab access. Focus on developing a reusable methodology that is continually tailored relative to your growth as a student. My passing combination was root on a 25 and 20 point machine, local on the other 25 and 20 points machines, and a completed lab report. (Scroll to the bottom for a dump of my lab and exam tips)
Before starting the Offensive Security’s PWK course, I had a standard “jack of all trades” IT background. For 3 years, I’ve been half of a two man IT team offering services to various retail companies, though our largest responsibility being a government contractor. Within that experience comes anything from helpdesk and server administration to the “lovely” world of NIST compliance and beyond. Digging further into that, my only real “cyber” experience lies within log analysis, network device security configuration, and compliance documentation. My only “offensive” security experience was the completion of a few easy-rated boxes on hackthebox.eu (a website I highly recommend, by the way), and a long time hobby interest in the subject.
Signing Up for the Course
OSCP honestly scared the hell out of me for a long time, but I loved the idea of a practical exam as opposed to some other sort of brain-dump format like multiple choice. After failed attempts at telling myself I’d sign up for PWK after reading this book, that book, and doing that “thing” to get me ready, I decided to just sign up and make it happen- I think others interested in the cert may benefit from this attitude. If you’re familiar (not even necessarily proficient) with a BASH environment, have a decent grasp on how basic network protocols (HTTP/S, DNS, SSH, etc..) work, and can at least read basic Python and C code with the help of Google, you’re ready to start the journey provided you’re willing to put in the time and effort required.
I signed up for PWK in early April of 2019 and received access to the coursework/labs on April 20th. While waiting to get lab access I spent some extra time watching IppSec CTF walkthroughs on Youtube (https://www.youtube.com/ippsec) and developing a set of goals/milestone dates for the course work and labs.
Course Material and Labs
After obtaining the course materials and VPN access to the labs, I wanted to make sure the course work was finished before jumping into the lab environment. I was only semi successful… I did about half of the course work within 10 days, and then anxiously hopped into the lab environment to gauge where I stood. I didn’t return to finish the coursework and exercises for several weeks, and focused on the “rooting” lab machines instead. In hindsight, I think it would be wise to go through the course work before diving head first into the labs. For someone lacking experience, 2 to 3 weeks of consistent work should be enough time to digest the 380+ page course PDF and complete the exercises. Maybe a little longer since the exercises can be quite tedious. Side note: do the course exercises! Doing the course exercises not only exposes you to skills used in the lab and exam, but also offers up to 5 exam bonus points when combined with the thorough write-ups of 10 lab machines.
Within the labs, I started at the first IP address I found in my scans, and worked upward in numerical order of addresses I found. While this worked for me, I wouldn’t recommend others to do the same. Instead, it’s probably preferable to do full network enumeration scans and choose a host based on a service banner or protocol you feel comfortable with attacking.
After 1–2 months of work in the labs, I had about 22 machines rooted, with 1 of them being a “big four” machine. By some standards, 22 rooted machines out of 55+ machine lab is not a lot. I was okay with that, though. Rather than focusing on the quantity of boxes, I was adamant to establish a methodology I could use for virtually any box I was attacking. A tried and true penetration testing methodology is extremely important in order to pass the OSCP exam, as it offers a framework of thorough enumeration and a guideline of how to spot a rabbit hole. Methodologies may be different for each person or team, but always offer a system of repeatable steps that can be applied to different situations with only slight circumstantial modification. Since the PWK lab environment holds its’ fair share of outdated machines and exploit, try to focus more on what enumeration tipped you off to your eventual exploit, and how you were able to determine the steps needed to successfully run it.
I was sure to schedule an exam attempt before my lab time ran out. To me, doing this was vital. An exam retake is cheaper than an extension of lab time. If you fail your exam attempt with lab time remaining, you can address where you went wrong on your first attempt by practicing more in the lab environment you’re familiar with and then only incurring the fee of an exam retake.
A mistake I made in scheduling my exam was waiting too long to schedule it. Friday and Saturday exam start times get booked quick. If you wait until the last minute, expect to get an inconvenient start time, like me. I started my exam on Wednesday July 3rd at 9pm. However, in hindsight I really like the idea of starting the exam at night. Starting the exam late in the evening essentially forced me to incorporate sleeping into my schedule. It seems that too often people start their exams early in the morning and burn themselves out by working straight through the day. In my case, my goal was to root the Buffer Overflow machine and thoroughly enumerate each box before 12:30 (00:30), which I was able to do. I got to sleep at about 1am, and woke up at around 5:45 with a fresh mind (after coffee) and was ready to dig deeper into the findings of the previous night’s enumeration. Ultimately, I was able to root one 20 point box, obtain low privileges on the other 20 point machine, low privileges on the 25 point machine, and was left in the dark on the 10 point machine. This combination adds up to roughly 65 points depending on your optimism/pessimism in the Offensive Security grading scale. Luckily I had done the lab report, which could seemingly get me to the 70 needed to pass.
The Aftermath of a 24 hour exam:
Waiting for the Results
Check your spam filter periodically as you wait! Seriously. The confirmation notice of my exam submission got caught in my workplace spam filter. While that’s not a huge deal, I’ve heard numerous accounts of students whose exam results have gotten marked as spam, making the waiting process that much more painful… which by the way, is an already painful experience if you weren’t aware. I was constantly refreshing my email client hoping for something.. I received confirmation that my exam submission was received on Friday July 5th, and got my exam results exactly a week later on July 12th. Thankfully, I was able to pass with my score combination and the lab report.
Lab Tips Dump:
- Don’t be afraid to take a couple days off. Life happens, burnouts happen, work happens. I stepped away from the labs several times throughout my course time when I was feeling down, stressed, or had other obligations. Clearing your head for a day or two (or three ?) helps rekindle motivation and allows you to jump back in fresh.
- Learn how to do the boring stuff before you automate the boring stuff. I found certain tools like Reconnoitre (https://github.com/codingo/Reconnoitre) and Nmap Automator (https://github.com/21y4d/nmapAutomator) to be extremely helpful in the labs. It’s important to first understand the logic of these scripts/tools though, and be able to enumerate on your own if the circumstance calls for it.
- Use Metasploit, even if you’re limited to “one shot” on the exam. I used Metasploit whenever I got the chance to in the labs. Seeing a box vulnerable to something like MS17–010 offers beginner Metasploit users a great chance to get comfortable with the tool and test out different payloads/exploits. The extra skills I picked up with Metasploit in the labs actually helped me compromise one of the eventual exam machines.
- Take notes on the boxes you work on as you work on them, or shortly after you compromise them. I thought I took good notes… Until I had to re-compromise certain boxes to get screenshots in my lab report. Make sure you document your enumeration in your notes, and detail how you were able to get each exploit to work.
- If you’re motivated to work but don’t feel like actually working, watch some videos on YouTube that explain a concept or process you’ve been trying to curate in the labs. My go to for these types of things are the IppSec and Black Hills Information Security channels.
Exam Tips Dump:
- Consider scheduling your exam in the evening. It will suppress the temptation of over-working yourself, and hopefully encourage you to actually get some sleep during the exam.
- Use a separate laptop for the webcam feed if you’r main machine is short on Ram. My testing laptop has 8GB of RAM. Anything I could delegate to a different machine was helpful in optimizing the performance of my primary computer.
- Record you’re screen as you take the exam. OBS studio is free, and recording my screen for the times I was actively taking the exam at 10 frames per second only came out to a few GB of data. I actually had to reference my recordings once to grab a screenshot I had forgotten to take in the moment.
- Take lots of screenshots while working, lots.. and be sure to organize them in some sort of sensical way that you can reference them in the future for your lab report. I used the Windows snipping tool for my screenshots so I could crop them simultaneously. I stored my screenshots in folders respective to the IP of the machine I was attacking, and with titles relating to the step I was completing in the shot.