My OSCP Journey

Offsec emblem

Recently I earned my Offensive Security Certified Professional (OSCP) certification after successfully passing the OSCP exam challenge. OSCP is a penetration testing certification offered by Offensive Security. To earn the title, you have to complete the Penetration Testing with Kali Linux (PWK) training course and pass the 24-hour arduous exam challenge. Offensive Security is well known in the security industry as they’re the creators of the popular Kali Linux distribution and Exploit-DB online exploit database. OSCP distinguishes itself from other InfoSec certs by teaching you the practical skills in the field of penetration testing.

PWK Course and Lab

Once you join the PWK course, you get a PDF guide and accompanying video tutorial to get started. However, the most interesting part of the course is that you also get a VPN access to a network of around 50 vulnerable machines. This network resembles a real-life organization, even some bots doing client side activities like real users. This network also has some subnets that are not directly routable. You need to compromise certain machines and use pivoting techniques to get access to these subnets.

When I worked through the lab, I was really surprised and impressed by the number of diverse vulnerable applications and systems available. You can practice everything from buffer overflows, web app attacks to client side attacks. Systems consist of different versions Windows, Linux, UNIX and even some legacy FreeBSD hosts.

The course material is meant to get you started and may help you to compromise easy systems. However, in order to compromise most systems, you need to do lot of independent research and study on your own. Working on the lab was certainly a rollercoaster ride for me. In the early stages I found myself hitting walls and getting quite frustrated. There is no hand-holding or spoon-feeding on this course. There are no easy answers or easy guides. Course admins might give you hints but most of the time they will tell you to “try harder”. The whole point of the course is to find and figure things out by yourself. This is understandable as real-life pen-testing is not an easy task and requires significant effort.

I hardly found any exploits that worked out of the box. Most of the time you need to understand the vulnerability and exploit code to do the necessary modifications to get it to work. This is why it is essential that you have prior knowledge of coding languages such as C, Python and PHP. Automated tools such as Metasploit and vulnerability scanners are allowed on the lab. However, I stopped using them as most of these tools are limited and restricted on the exam. As I progressed through the lab, I got comfortable modifying and using custom exploits.

Finding time for the lab can be a challenge in itself. It was tough to manage time between family, work and the lab. I purchased 60 days of lab time because I had to finish this course and exam before year end. I spent most of my free time on the lab and skipped non-essential events. By the end of my lab I managed to root 41 machines including the hard ones (Pain, Sufferance and Humble) and pivoted into other subnets. Even though I had more time to root few more boxes, I spent my last few days to review my notes and refine my methodology to prepare for the exam.

The Exam

I booked my exam close (3 days after my lab time ended) because I had trouble finding suitable dates with my work schedule. I used the three days to prepare my notes, exploits and the report template. For the exam you’re given access to an isolated exam VPN with few machines. In order to get points you need to compromise these machines and document (with screenshots) the steps you have taken. Points are awarded for each compromised machine, based on their difficulty and level of access gained. You have 24 hours to complete the exam, with an additional 24 hours (from the exam end time) to complete and submit your report.

On the exam day, I received my exam pack in the evening at the scheduled time and I jumped straight into the exam network to enumerate the targets. However, about one hour into the exam I had to shut down because of a bad thunderstorm. It was the rainy season and thunderstorms are a common occurrence where I live. I lost about one and a half hours of my exam time because of this. This wasn’t good as early hours are crucial as time goes on the fatigue sets in. However, I wasn’t ready to contact the admins or re-schedule. One of the things you learn in OSCP is to build that mindset to persevere under difficult conditions. And because I did well in the labs I was confident that I still have enough time to complete the exam.

After the storm cleared, I picked up from where I left off and managed to get my first shell. I worked for 12 hours with short breaks and stopping for dinner and managed to compromise two more targets. I needed one more machine to reach my passing score. However, I was too tired to continue at this point. I slept for about 6 hours and went back to the exam lab again in the morning with a fresh mind. Within hours I was able to get my next machine needed for the passing score. After getting some more rest I used the rest of the day to prepare and submit my report. Finally, within two days I received my results email and I passed on the first try.

Conclusion

Earning my OSCP was certainly a unique and rewarding experience. Offensive Security has done an excellent job of training students by putting them through a hands-on tough training course. I learned ton of things in just two months than I did in a year. I especially enjoyed the exploit writing and web application exploitation parts. Even though the journey is over, I will continue to build upon the knowledge gained. It was a frustrating journey but well worth it in the end.