My Journey To OSCP
What is OSCP?
Offensive Security Certified Professional (OSCP) is a certification program that focuses on hands-on offensive information security skills. It consists of two parts: a nearly 24-hour pen testing exam in an isolated network against 5 targets and a documentation report due 24 hours after it. Before you can take the OSCP exam, you are required to take the Penetration Testing with Kali (PWK) course. Taking the course is mandatory for you to become eligible to take the OSCP exam.
Background & Experience
Before I delve into the PWK course and the OSCP exam I want to provide you with some information on my background and experience. Prior to landing my first security job as a cyber security analyst, I spent about 1 ½ years working for an MSP as a sysadmin. The experience I gained during my time as a sysadmin helped me tremendously throughout my OSCP journey as I was exposed to the core workings of a server, firewall, routers, switches and such of that nature. However, this position limited my exposure when it came to security and although I was pursuing my bachelor’s in computer networks & security at that time, it focused more on networking than security and thus I was lacking a great deal of knowledge in the InfoSec domain. So I signed up for CEH a year after completing my bachelor’s and it was insightful enough to kickstart my career in cyber security and a few weeks upon passing the exam, I landed my first security job as a cyber security analyst — shoutout to Orion for believing in me.
Along my new journey at the new firm, my manager introduced me to a platform called HackTheBox (HTB) which turned out to be a game changer in my pentesting career. For those of you that do not know, HTB is an online penetration testing platform that contains a variety of machines to help you improve your penetration testing skills. In order to register yourself to the platform, you will need to hack your way into getting an activation code. Once you have generated your activation code, you will have the ability to access their range of vulnerable machines. In the free tier you are allowed to play with the 20 active machines they have, and they cycle a new system and retire an old one in the range every week. If you want to access their retired machines you will have to sign up for VIP access. In my opinion, getting the VIP access is worth the investment, especially for those just getting started. The current generation of ‘easy’ active machines are noticeably more difficult than what is found in the OSCP, so keep that in mind when you are working on the active machines as a prep for the OSCP exam. To this day, I still remember popping my first shell on a machine called “Sense”.
Ever since I heard about HTB, my weekends were pretty much spent trying to get that root shell on a box, but as I was just getting started, I encountered several roadblocks progressing through a machine. One Sunday afternoon, when trying to google my way out of an obstruction, I came across IppSec’s YouTube channel. IppSec, for those of you that do not know, does walkthroughs on retried HTB machines and goes through step by step on how to obtain access into the target and how to escalate your privileges to obtain root access. Each box has a different scenario and IppSec always has something extra to throw in when he is doing his walkthroughs. I used to spend countless hours watching his videos painstakingly taking detailed notes trying to replicate them on the same HTB machines and documenting any new tools/techniques into my cheat sheet. I think the InfoSec community is grateful to IppSec and his contributions.
As I was progressing through and getting better by the day, I did not want to limit myself to HTB and so started exploring other platforms when I stumbled upon VulnHub. It is similar to HTB, but machines are mostly Linux based and a bit over CTF-ish — nonetheless an invaluable resource to hone your methodology. Unlike HTB, you have to download the vulnerable machines and run them on your local system. You will need VMware or VirtualBox to run these vulnerable systems. Make sure that you are running these vulnerable systems on an isolated network and not on a public network. Just like HTB, the amazing InfoSec community out there share write-ups on various tools and techniques they used to compromise a machine. I used those write-ups as a resource whenever I had exhausted all the possible techniques I knew. This allowed me to expand my knowledge and learn a lot more enumeration/privilege escalation techniques. However, I always reminded myself to not be too dependent on the write-ups as it will completely defeat the purpose of the challenge.
A few months before enrolling for PWK, my manager asked me to look into getting eJPT certified. I was initially reluctant in signing up for it as it seemed to be a beginner-friendly pentesting certificate and had my focus on PWK, but he insisted that I do it anyway and that the company would fund the entire course. And so, in mid-February I signed up for the course and spent about two weeks on the materials and labs. I was already comfortable with everything in the scope of the course and I breezed through the exam with no issues. Having mulled this over myself, I ultimately don’t regret studying and achieving this certification. I definitely learned a few things — particularly around data exfiltration and ended up incorporating some of the tools/techniques learnt, in the PWK labs. The course is well presented and easy to understand, with up-to-date materials and tools that will be useful for anyone looking to get the feel of what the OSCP might be like, but at a much entry-level.
“Is it mandatory to have obtained CEH and eJPT prior to OSCP?” — A question I get asked quite a lot and the answer is “NO”. I have seen and know of a lot of OSCP holders that have passed the OSCP exam with no security certs at all, but that does not mean OSCP can easily be obtained without having some background knowledge in the InfoSec domain. As Morten Schenk, content developer at Offensive Security once said, “PWK is entry level in pentesting, but keep in mind that pentesting is not considered entry level in infosec and infosec is often not considered entry level in IT”. I personally feel a few years spent working as a sysadmin and time spent on HTB/VulnHub alongside IppSec’s videos should prep you well for the OSCP — but that’s just my opinion on it.
By this time around, about two years had passed by and much of what I have learned over the years was put to the test at work where I carried out internal pentests, web app pentests, security assessments and such of that matter. Even though I had no intention of doing OSCP till the end of the year, in mid-March our friendly neighborhood coronavirus came along and shut down the entire country. I thought what better way to spend the next couple of weeks/months under lockdown studying for OSCP rather than just twiddling my thumbs, and so it began!
The PWK Course
The overall OSCP experience can be seen as a three-part process — The PWK Course, PWK Lab and the OSCP Exam. You have an option to register for 30, 60 or 90 days of lab time. Once you register, you select the week you want to start your studies — specifically a Saturday/Sunday is when a new course begins. It is encouraged to register 10–30 days before your expected start week, since time slots fill up really fast! On your assigned course start date, you will be provided access to download all your course materials. I signed up for 90 days of lab time and had to wait a week after registration to get my materials and VPN access. The 2020 material — which was updated in February, is much more robust than the previous iteration. Weighing in at over 850 pages, the PDF is a mammoth undertaking which comes alongside 17+ hours of video. The course is very comprehensive, going to a comfortable depth through a very wide range of techniques and tools to get you started, everything from running port scans with Nmap to cracking password hashes with John the Ripper to exploiting vulnerable apps for reverse shells with Netcat. As you progress, you will come across some challenging topics such as Buffer Overflow, Pivoting and Active Directory attacks to name a few. A detailed outline on the syllabus can be found here.
The course also contains a series of exercises for you to start getting your hands dirty, running tools, developing basic shell scripts, prodding at ports and many more. These exercises are great learning opportunities and very straight forward however, at times, requiring you to go off on your own to do more research. Completing and documenting them along with 10 compromised lab machines will grant you 5 bonus points for the exam. I personally did not do the exercises as I felt it was not worth the 5 points for the time and effort you put into documenting a 400+ page document (at least to what I’ve heard) and instead focus my time on the labs. OffSec really needs to re-evaluate the 5 bonus points given the sheer scope of the new material. If you are however a complete beginner, I would highly recommend you do it as there’s so much you can learn from those exercises. Going through the materials (PDF + videos) took me about a week to complete as I was able to put in 12+ hours a day thanks to COVID.
Do note that the PWK course does not provide you with everything you need to know. The course is there to help build the foundation and teach you the initial basics you need to succeed. There will be countless things that you will still need to learn/research yourself during your time in the labs, so I suggest you brush up on your Google-Fu!
The PWK Lab
The labs are broken up into multiple departments or networks. You initially start off from the student network, which is directly accessible and to go beyond that, you will need to pivot through compromised hosts to reach other networks. Each host contains a file (“proof.txt”) with an MD5 hash that is unique to that host and is only accessible via root/administrator/SYSTEM privileges. The hashes will need to be submitted in the control panel and will validate if the host has been compromised. Following is an overview of the PWK labs (courtesy of OffSec)
Having sprinted through the material, I wanted to settle into a little more friendly pace for the labs; I aimed for a box per day during the first few weeks and to increase it gradually over the weeks. However, all those days spent on HTB and VulnHub paid off as I managed to pwn 18 machines within the first week itself and before I knew it, I was pivoting my way into other networks, pwning every single machine (66 to be exact) in under 2 months.
During my time in the labs, I had decided to look at the forums for hints provided I was stuck for more than 4 hours on a machine and upon reflection, that was the right decision. The machines in the lab network are of different difficulty levels — though some may seem to be impenetrable at times, each and every machine is “hack-able”. Some can be rooted with a remote root exploit whilst others will make you bang your head against the wall for several hours and you still will not figure out how to get past the first hurdle and that is where the amazing-ness of the course lies. It teaches you to push your limits. It teaches you to make yourself better. It teaches you that you can do better than you think. It teaches you to keep trying. It teaches you the very mantra OSCP is known for which is to “Try Harder”.
I cannot express well enough how valuable it is to take detailed notes and build your own cheat sheet. After every machine I rooted, I did a walkthrough of how I compromised the machine on “CherryTree” and added any new tools/commands to my cheat sheet. This not only saves precious time in the exam when you want to look up commands, but it also helps you build your own knowledge instead of relying on other people’s cheat sheets without really understanding what you are doing.
I tried to stay away from using Metasploit, SQLmap and any autopwn tools as much as possible in the labs. Although these tools are allowed, I refrained from using them to learn the manual way and to not be too dependent as autopwn tools are restricted in the exam. However, there were a few times where I used Metasploit and SQLmap to validate if an exploit was working, but then I always redid the whole manual exploitation afterwards. Trust me, you will learn a lot more than you think when exploiting vulnerabilities the manual way.
Having completed the entire course in two months, I scheduled my exam for a month in advance which happened to be the only closest time slot available and spent the remaining time I had in my PWK labs practicing on my buffer overflow and on HTB rooting machines off TJ Nulls list of OSCP-like VMs.
The OSCP Exam & Reporting
This section will be vague for obvious reasons. Before I talk about my exam experience, I will go over the format of the exam for anyone that is not aware. You are given 24 hours access to an exam network in which you are faced with 5 machines, each distribute between 25–10 points varying in difficulty and in order to pass, you have to earn a score of 70 out of the 100 points available and submit a well-written penetration test report. Getting a root / Administrator or SYSTEM access on a machine gives you full points while a low-privilege shell gives you partial points. A breakdown of points for each machine as well as difficulty level according to a lot of OSCP holders is as follows:
Machine 1 (Buffer Overflow) = 25 points / Easy
Machine 2 = 10 points / Easy
Machine 3 = 20 points / Medium
Machine 4 = 20 points / Medium
Machine 5 = 25 points / Hard
When scheduling my exam, I had it booked for 10:30 AM. That gave me enough time to wake up at my normal time, get breakfast, fire up my VM and to go through my notes once more whilst downing my first can of Red Bull. You must connect to the proctor 15 minutes before the exam and share your webcam and screen(s) with them as well as do a walkthrough of your entire room including what’s underneath your table (no joke). Once they are satisfied with everything, they give you the go-ahead.
My strategy, like many, was to fire off AutoRecon scans while I worked on the buffer overflow. Pro Tip: Do not run AutoRecon on all the machines simultaneously. This would just overload the network and would end up giving you inconsistent results, instead do it one at a time. Within an hour I was able compromise the buffer overflow machine and dove straight into the 10-point machine which took me about 20 minutes to get root. I was feeling good at this point as I knew I had 35 points in hand, so I stopped for 30 minutes to eat some lunch. At 1:00 PM I came back to start working on the 20-point machine. Looking at the ports and having enumerated all the services running for almost 3 hours, I was able to find and validate the vulnerability but just could not leverage it into giving me a shell, so I decided to not waste any more time and instead jumped into the next 20-point machine. Went through my usual enumeration process and guess what? Nothing! Absolutely nothing! There was not a single port or service running on the box that was exploitable — or at least to what I’ve enumerated. At this point I felt completely shattered knowing that there was no way I would be able to root the 25-point box or even gain a foothold on the machine, nor would rooting the 20-point machine suffice. During these times all the blogs and reddit posts I have read about people failing the OSCP exam multiple time began to resonate.
Having spent 6 hours so far, I decided to take a quick nap hoping that something would pop up in my head once I woke up. Alas, with so much accumulated stress, I was not able to really sleep. I was just visiting this hazy state of simultaneously being half-asleep/half-awake. However, even this short rest gave my brain some time to prepare for the second-wind (or n-th wind for that matter). That was all I needed. I endeavored to take on the 25-point machine. Looking at the ports and services running, there was one that just stood out. Told myself that it could not be that easy and that it was probably a rabbit hole (which by the way you’ll encounter a lot in the exam as opposed to the labs) but gave it a shot either way. In about 10 mins, I had a low privilege shell. Oh man was I ecstatic! I took a quick victory break and went straight into enumerating possible vectors for privilege escalation. After about 4 hours, I was able to privilege escalate and own the 25-point machine. I had 60 points and need just 10 more. There was finally hope. Gaining a foothold on either of the 20-point machine would give me enough points to pass and so I went back to the initial 20-pointer. For the next 2 hours I was at another roadblock. I could not find a way to gain a foothold, even though I was able to validate the vulnerability. Nothing seemed to work. Just when I was on the verge of giving up, I saw something interesting. A quick Google search led me to a few things and after some trial and error, by 10:00 PM I had limited shell, brining me up to 70 points. That’s it! It was over, it was finally over! After 12 brutal hours, I knew I had enough points to pass, but I wasn’t celebrating just yet. Reporting! I still had to submit a detailed pentest report and had not taken any screenshots which I left out intentionally during the exploitation phase out of fears of falling into rabbit holes.
Having 12 hours left, I took some time off to re-energize; I had dinner, watched some TV and got back in at 1:00 AM. Popped open another can of Red Bull and started working on taking screenshots for the report. It took me a solid 3 hours straight to run through compromising each machine all over again (BO included) but taking screenshots this time. By 4:00 AM, I had everything I needed. Took another quick break and started to work on privilege escalation on the 20-pointer. Fortunately, by 7:30 AM I was able to privilege escalate and pwn the machine. I had 80 points in hand. I felt good. I felt beyond good. I don’t know what I felt. Took the necessary screenshots for documentation and spent the last few hours on the last 20-pointer. By this time, I was completely drained and started throwing every exploit I found at the machine hoping it would pop a shell, but nope, nothing seemed to work. By 10:00 AM I decided to throw in the towel and asked the proctor to end my exam session by terminating my VPN access even though I had 30 minutes left. To this day, I could have sworn that the 20-point machine was fully patched.
After completing the exam, I now had to finish my report and submit it within 24 hrs. Overwhelmed, I was finally able to pull in about 3–4 hours of good rest. Woke up, took a shower, had lunch, cracked open my last can of Red Bull and started reporting. My estimated completion time on the report was 7 hours, however, it took me way longer than expected — 14 hours in total which included minor breaks in between. After reading the reporting like a million times making sure I had everything included, at 6:30 AM, I submitted the report and dozed off right on the couch. I was extremely tired after those 48 hours and needed 3 days to recover my energy, but it was undoubtedly worth it.
The wait game begins…
Unexpected Surprise
Fast forward 40 hours after report submission, I got back home after a tiring day at work and checked my mail, as I had been doing every few hours since I sent off my report and was shocked when I saw an email from OffSec. Fearing the worst, I knew I screwed up my reporting somewhere. What else could explain such a quick result, right?! I opened it up and saw…
I never expected to receive the email so early because the usual turnaround time according to the exam guide is 5–10 business days. Being completely transparent, I was conservative of passing the OSCP exam on my first attempt. Passing on your first attempt is extremely rare and if you ask most OSCP holders how many attempts it took them to pass, a majority of them would say “the second or third time” — some even after six attempts! Throughout my life, few things have given me a sense of pride and accomplishment and I am glad to say that one of them is my OSCP journey. Not only am I proud to say that I have passed OSCP on my first attempt, but I am one of the few Sri Lankans to have obtained this prestigious certificate at the time of this writing.
Exam Tips
· First things first — read the exam guide. OffSec constantly updates them, so make sure you read them at least a day or two before your exam.
· Make a backup of your VM prior to the exam. The last thing you want, is a non-working VM at the time your exam starts.
· Have a backup internet connection in place. This could mean getting a spare, cheap DSL router or a 4G/5G mobile connection as a backup. In case of a power outage or longer internet outage from your ISP, it is a good idea to have a second location as your “warm site”
· Take a systematic approach to tackle the 5 machines. I would suggest the order from easiest to hardest machines — this would give you a sense of psychological satisfaction knowing that you have a decent amount of points under your belt as you progress through the exam.
· Make sure to scan ALL ports — this includes both TCP and UDP. Do not make any assumptions on what is running on these ports, enumerate them.
· Take breaks during the exam! At least every two hours or after an achievement. That will reset your mind and will give you new clues on how to approach a problem you are facing. Also make sure you are drinking and eating enough. Prepare a few snacks the day before and/or a light meal, which you can easily warm up. This will renew your energy during the 24 hours.
· ENUMERATE, ENUMERATE, ENUMERATE! I cannot reiterate this enough. The reason you pass or fail on the day of your exam could be due to enumeration.
· Do not take screenshots after each step when trying to compromise a machine in the exam. If you end up falling into a rabbit hole and have documented each step, only later to find it out it was a rabbit hole, you have wasted a lot of time — instead, take them once you the know the exploitation path. Make sure you have sufficient screenshots as there is no going back once the exam ends.
· And finally, embrace failure. OSCP is a difficult journey and many people fail multiple times before passing. And you know what? That’s okay. It’s part of the journey to success.
Wrapping it Up
The OSCP is definitely not for the faint of heart and non-dedicated. You have to be willing to put in the time, sacrifice personal life, and stare at a problem until you’re bashing your head into the wall. There were countless times I sat there trying to learn why something worked. I would read changelogs, CVEs, Github pages, you name it. Did I run into topics I did not know? Yes. Did I whip open an exploit and sit there trying to understand it while my brain melted into a pool of nothing? Absolutely! But guess what? It was worth it. You have to have a hunger to learn. Don’t ask what exploit to use, instead ask why an exploit works. Ask why a vulnerability exists. You will find a lot more answers and knowledge when you begin to question things.
With all that said, as the famous fictional chef from Ratatouille once said, “Anyone can cook.” Well, the same goes for this. Anyone can pass this exam if sheer commitment is given. Good luck to everyone out there still in the course or to those thinking of signing up and if you do not know if you should, do it. I spent $1,400 on this course and before I even passed the exam, I had gotten well more than my money’s worth. If you are stuck in the labs and want a quick nudge on a box or have any questions related to the exam, feel free to hit me up on LinkedIn and I shall try to help you out without giving away too much.
Useful Resources
Below mentioned are few of the resources/tools which helped me throughout my OSCP journey: -
TJ Nulls List of OSCP-like VMs — You cannot go into the OSCP exam without at least having rooted 20 or more of the HTB machines in the list.
IppSec Youtube Channel — Walkthroughs of retired HackTheBox machines. Take notes!
AutoRecon — Recon tool which AUTOMATES enumeration of services. A lifesaver to be honest.
Linux Privilege Escalation for OSCP & Beyond! — Weak in Linux Privilege Escalation? I cannot recommend this course enough.
Windows Privilege Escalation for OSCP & Beyond! — The same goes for this, but Windows.
HackTricks — Your one stop website for all your pentest needs.
OSCP subreddit — Everything OSCP in general.
InfoSec Prep Discord Group — Want to work alongside like-minded people? Join this group. You will find some prominent infosec individuals in the server, notably OffSec staff, content creators, HTB ambassadors, and authors of well-regarded pentesting tools.
