My experience getting OSCP

29 Jun 2014

About a month ago I passed my OSCP exam. I would like to share my experience considering this is one of the most interesting, challenging and hardest courses I've ever took. The course itself is very comprehensive, but you will need to put in a a lot more effort than just going through the course manual to pass the exam. Be prepared to Try Harder!

Penetration testing with Kali

I'm a security consultant during my daytime job and wanted to get the OSCP certification as it is -in my eyes- one of the few certificates available that assures technical competence during a penetration test. I started with the penetration testing with BackTrack course, but due to my work obligations I wasn't able to hit the lab as much as I actually wanted to. This resulted in an extension, which was roughly around the time PwK was released. I decided to update to PwK continue from there. The course covers a lot of techniques and exercises, but know that most of your time will be spent within the practice lab network. This is a real challenge where you will have to compromise multiple networks using pivoting techniques to succeed.

Pre-requisites

  • You should be familiar with basic TCP/IP
  • Be able to write small programs and scripts
  • Be familiar with the Windows and Linux shell/cmd
  • Have a decent computer so you can run one or two virtual machines
  • Be prepared to work around 20 hours a week on this, this can be challenging to do next to a fulltime job
  • Be prepared to Try Harder, this course isn't a SANS or CEH course where you just fill in a multiple choice exam. There is a reason few people pass the exam from the first time.

Keeping track

It's very important that you take good notes and supporting screen shots while hitting the lab. I like KeepNote, which was recommended by Offensive Security during the course. I also installed shutter on my machine to take screen shots. It's similar to the snipping tool in Windows. Use a good folder structure to organize your notes. For every machine I created a separate folder which contained relevant screen shots and scripts. I also stored my script (if re-usable) in a separate script folder. This can be handy for other machines, but also when doing the final exam. BACKUP, BACKUP, BACKUP always take a good backup. I accidentally removed part of my notes. The easiest way in my opinion is to use a git repo and regularly push and commit your notes/binaries/scripts or whatever you made to your repo (I used a private bitbucket repository). It's easier to track what you have been doing and lowers the risk of deleting things by accident.

Reporting

Penetration testing is as much about being able to find vulnerabilities in a network as it is about being able to represent this in report so that it is clear and understandable for people who might know less about security or who are not technical at all. In the end after pentesting, the only result for a client is the report. This part is not to be underestimated, I ended up writing around 240 pages of report. I first did the lab and then took another 14 days to write the report, it might be better to immediately write out everything.

Lab

You will enjoy countless nights in the lab, befriending Bob, Alice, Bill, Sean and many others. If you are brave you can even take on Pain, Sufferance and Humble. The lab is vast and to be able to pass the exam, Offsec recommends at least getting all of the machines in the student network. One hint I also want to give is 'keep it simple'. I've had it a few times that I was overthinking certain attack vectors, always start with the simple things. I was able to get into all of the networks, but did not get into all machines. This isn't necessary to pass the exam, but you will be a lot more prepared if you do. My recommendations:
  • Script as much as possible in re-usable way
  • Automate all the things!
  • Make sure you understand every exploit you use, if it's a Metasploit module, ensure that you can port it to a standalone version
  • Make sure you have a windows environment to compile binaries, cross compiling sometimes gave me a lot of headaches which were quickly solved by using Windows with Visual Studio
  • Be able to identify vulnerabilities manually and with nmap script scans, you aren't allowed to use Nexpose, Nessus or any other vulnerability scanner during the exam
Another great resource I used was written by Mike Czumak: Offensive Security’s PWB and OSCP — My Experience Make sure to talk to other students, I found that having a buddy which can get you back on the right or help you while you are stuck (and vice versa of course!) can be really helpful. Don't be dependent on them as they won't be there to help you during the exam.

Exam

The exam is the hardest part. I recommend to structure all your scripts and pre-compile your most used local privilege escalation exploits. You don't want to lose time on this during the exam. To pass the exam you need to have at least a certain amount of points. Each machine is worth a set amount of points and also has its own restrictions. As said before, you aren't allowed to use Metasploit during the exam, except as a handler. If you like using meterpreter, know there are restrictions on which instructions you can use. The exam was not easy in my experience, partially because you are very limited when it comes to using Metasploit. I wanted to get all the machines, but was not able to get root/administrator on all of them. I managed to get shells on all of them though. Make sure you have a good lab report. If you don't get enough points, they might accredit the few extra points needed if your lab report was exhaustive and written well.

Fatigue

One of the things I underestimated slightly was the fatigue. 24 hours is a very long time to stay focused, so it's actually best to go for a walk every two hours or so. I also recommend doing a powernap after 14 hours. I didn't do this and with two hours to go I almost had to type every command three times to get it correct. Prepare well:
  • Put pizza on speed dial or prepare some food up front so you can just re-heat it
  • Get some muesli bars or other partially healthy snack, they are nutritious and can stimulate you mentally as well
  • Get some energy drinks or caffeine rich drinks in general, I started to like Club Mate (which is often described as tasting like hay-filtered horse-piss) during the exam
  • Plenty of water
  • Turn off your phone/email, really!
After the exam finishes, take a rest and start reporting based on your notes. Ensure you take plenty of screen shots of every step you take to compromise a machine and that you keep a copy of all shells (commands executed and the responses) so you can backtrace if you need to.