My OSCP Experience

The PWK Course was something that had been on my radar for years and I'd been wanting to take it for quite a while. Having heard of its ass-whupping potential, I wanted to make sure I could devote the time and energy to the course and last year, I finally sucked it up and signed up for the 60 day lab.

My Background

Thanks to my dad who had the foresight to realize computers were the future, I've been around and fascinated by home computers from a very early age. While I didn't major in a computer related discipline, I spent many hours breaking, fixing and learning about them the hard way (pro tip: don't pull out memory from the motherboard while the computer is powered on). My first job out of college was in help desk. I don't know how many of you have had the joy of working in help desk - it certainly teaches you a lot about dealing with the broad reaches of humankind (I will never again lose my patience with any kind of customer service, ever). Still, I knew I needed to move on and decided to focus on networking, working with Novell Netware, all the incarnations of Microsoft Windows and various Cisco gear. I obtained the CCNA and MSCE certifications and eventually got into sysadmin work. With that, I did a ton of work with firewalls, routers, servers and a good bit of PCI compliance work (audits, vulnerability assessments, server hardening, etc). So I walked into the course with a strong networking background, good linux and Windows skills, and proficient DOS batch file and bash scripting but no programming knowledge whatsoever. I was aware of the concepts involved in pentesting but had no practical experience with it.

The Course

I received my course materials on June 9, 2018. I dove into the materials and following suggestions from Reddit, decided to stay away from the labs until I finished the coursework. I followed another Reddit suggestion and would read a section of the PDF then watch the accompanying video which worked pretty well - there is overlap but sometimes small things would be in one but not the other. I was doing the exercises for the lab report on the way as much as I could but given the nature of some of the exercises (e.g. use X tool in the labs but we won't tell you exactly where), there were unfinished exercises here and there. Still, I was cruising along pretty well. Then I hit the buffer overflow section:

My brain meeting the buffer overflow section

Suddenly I felt lost. I just could not understand what was going on and felt extremely stupid. Apparently watching a video does not make one at expert at...anything. The video would make perfect sense but then doing it on my own was frustrating and confusing at best and I struggled to make sense of it. It was here that I questioned my choice not to study computer science in college, my choice of networking over programming post-help desk and I cursed the gods mightily. It took what felt like forever to really understand how it worked but after endless videos/tutorials something finally clicked in my brain and I got it - sweet!

In the end, I spent 28 days of my 60-day lab time on the coursework. Despite trying to devote as much time as I could to the coursework, I was juggling the rest of life. I could have probably shortened this time but it is what it is.

The Labs

With 32 days left, I hit the labs. There are ~50 machines spread out through four networks. You are let loose on the labs with no real instruction so after the initial scans, I was like 'uhhh, what now???'  I semi-randomly chose targets with different degrees of success. Some machines were dead simple while others were very difficult and other than the famed "Big 4 Bosses" - Ghost, Pain, Sufferance, Humble - I had no idea which were which. I managed to root 22 boxes (one of which was Pain) before time ran out, making it to the IT and Dev networks. There were some machines I used Metasploit on because I couldn't get manual exploits working but made note of them to revisit later on. I stayed away from the exam-banned tools (Metasploit/Nessus/SQLMap/etc) as much as possible unless I was completely stuck or it was part of the coursework.  I really enjoyed how things were set up like a real corporate network, complete with lazy users/admins and that you had to own certain boxes to even get a foothold on another. There are bits of rather amusing humor spread through the labs to keep things interesting too.

A common question is 'how much time were you spending on the labs everyday?' I am self-employed so the time I was able to devote to the labs was anywhere from 0 to 12 hours per day, depending on my workload.

At the end of the lab time, I knew I was not prepared for the exam but figured I might as well get an attempt out of the way for the experience since purchasing a lab extension while you have an unused exam attempt does not give you 2 attempts - they do NOT stack. My lab time ran out August 8, 2018 and the soonest I could schedule an exam attempt was October 3, 2018 so keep in mind that there may be a few weeks of lead time may be needed before you can schedule an exam.

In the end, this break between the lab and exam was a blessing as I was unexpectedly sidelined for 3 weeks by an infected tooth abscess. Blinding pain and/or a hydrocodone stupor are not conducive to studying.

Exam Attempt #1

The exam is worth a total of 100 points spread between 5 machines - 25 point buffer overflow, 25, 20, 20 and 10 points. You are told which one is the buffer overflow box and are provided a Windows VM to use for debugging and testing. I started on the buffer overflow box and let an enumeration scan run on the other 4 machines while I worked on it. Thanks to the endless tutorials and videos I went through, I was able to complete the buffer overflow box in 2 hours. I could have done it in less time but I took my time to make damn sure I had all the screenshots necessary. Naturally, at this point, just as I thought I was on a roll, things went downhill in a serious way. Despite reading all sorts of advice about getting enough rest and avoiding rabbit holes, I ignored all of that - I pulled an all-nighter and went down more rabbit holes than Watership Down.  In the end, I was able to get limited shells on the two 20 point boxes, failed completely on the 25 box and used my one Metasploit shot to own the 10 pointer.

Offensive Security does not publish how they score limited shells but assuming they are worth half the points, I failed with 55 points of the 70 needed to pass. I did not have the lab writeup completed so I didn't bother turning that in. I still did the exam writeup, turning that in on October 4, 2018. Sure enough, I got an email the next day letting me know I failed.

The Labs Part 2 aka F-U Failure aka Try Harder

After giving myself a week off, I prepped for a return to the labs by working on recommended VulnHub boxes (thanks Abatchy) and some HackTheBox machines. I bought a 30 day lab extension which started October 22, 2018.

One benefit to failure is that it is the best motivator. The exam kicked my ass and I was sure as hell going to kick it back. I hit the labs with a vengeance. By the time the 30 days were up, I had made it to the Admin network and owned all of the remaining machines except for one, sometimes owning up to 3 boxes a day. I revisited all the machines I used automated tools on and owned them manually. I also went and finished all the coursework just in case I needed the 5 points.

Exam Attempt #2

Maybe it was due to the holiday season but the lead time for scheduling my second exam attempt was considerably shorter and I got a slot for November 28, 2018. I gave myself a week off after the labs ended to relax and prepare any notes/scripts for the exam.

This exam attempt was proctored which was pretty painless. You can test the webcam prior to the exam which I strongly suggest you do to prevent any troubleshooting from eating into your exam time. Once in a while a proctor would message me asking to restart the webcam but there were no problems otherwise.

Like the first attempt, I started on the buffer overflow box while enumerating the others. That one fell in under 2 hours and I moved on. Within 8 hours of starting, I had the buffer overflow machine and the two 20 point machines for a solid 65 points. With the coursework, I had the 70 points needed to pass but I wanted to get as many points as possible to remove any doubt of passing. A couple of hours later, I had a limited shell on the 25 point box so I figured I had 82.5 points. I thought about stopping here but decided to go for it just because. Despite my intentions to get more rest and avoid rabbit holes, I simply could not sleep and ended up chasing my tail pretty badly. The universe and I have a very long and sordid history of being at odds and as such, the universe enjoys a passive-aggressive jab at me every now and then. That night, a thunderstorm knocked out my internet connection for a very long, panic-filled 10 minutes. With no sleep, I stubbornly continued working on the 25 pointer and failed to get anywhere on what should have been the gimme 10 point box. With an hour left to go, I realized a key piece of information I had been hunting for had been in front of my face the whole time - it was literally the first thing I saw in the limited shell. THAT is the kind of thing why people tell you to get rest and take breaks. I worked furiously up until the end but ran out of time.

I tried to sleep at this point but too wound up to, so I started on the exam report. I sat on it for a while to double/triple check and was glad I did. I found some very stupid mistakes which I blamed on sleep deprivation. I turned in the report on November 30 and got an email back on December 1 letting me know I had passed.

Thoughts on the Course

I really enjoyed the course and the labs. When my final lab time ended, I found myself missing them. This was a far cry from the multiple choice tests I passed for the CCNA and MCSE back in the day.

A common criticism I hear about the PWK is that the labs use outdated machines with old vulnerabilities. While this can be true, I guarantee you that tons of businesses of all sizes are using seriously outdated and vulnerable software right at this moment. Oh the stories I could tell...

That being said, I do wish they had an Active Directory network to play in - AD is pretty pervasive in the corporate world and I'm currently learning more about it on my own now.

The biggest thing I took away from the experience was the pentesting methodology - that is something that remains fairly constant with some very personal nuances you have to work out for yourself. Some students don't like that the "Try Harder" motto means a lot of self-learning considering how much the course costs. I understand where they are coming from but my thought is that there is no better way to learn than to dive in and do it yourself. I prefer a practical hands-on learning approach as opposed to a book-reading approach, and personally learn and remember things more when I do and figure them out on my own.

Tips

  • While you are encouraged to use their pre-made 32-bit Kali VM, I ended up using an updated customized 64-bit Kali VM because I wanted the additional memory and I much prefer the look of Mate over Gnome. Other than having to compile some things with different flags, e.g. gcc source.c -m32, I had no issues at all using the 64-bit VM for the labs or the exam.
  • Take snapshots of the VM before updating as things occasionally go wrong (I'm looking at you samba).
  • I will echo what others have said - DO THE COURSEWORK BEFORE HITTING THE LABS. This is especially important if you don't come from a pentesting background. Also, the 5 points the coursework is worth can make the difference between a passing or failing score.
  • Keep really detailed notes from the start - pretend like you are taking them for your non-technical grandmother. When I reviewed my coursework during the second lab, I was shaking my head at how bad or unclear my notes were and had to re-do many of them.
  • I hashtagged my notes on machines so I could search and refer to them easily - #ssh, #wordpress, etc. This came in very handy during the labs/exam and still helps now on HackTheBox.
  • Figure out repetitive tasks you keep doing and script them - you will save precious time as well as learning/practicing scripting skills. I'll share some of mine in another post soon.
  • Don't go to the forums first thing but don't be afraid of them either. Going to them too early will cheat you out of much needed experience and practice. On the flip side, banging your head against a problem you don't know anything about isn't going to solve it or give you a learning opportunity. If I simply could not make progress on a box after many hours, I'd check the forums for a hint. Many times a tiny kernel would give me a direction on what to research and learn. I could not have learned as much as I did without this.
  • You can never enumerate too much. If you find yourself stuck on a machine, enumerate some more.
  • Get a solid understanding of basic networking beforehand so you don't spend valuable lab time on it. Having prior linux knowledge would be very helpful but don't let the lack of it stop you from taking the course. Spending some time on Bandit would be enough of an intro for most people I think.
  • I had scripting skills but no programming ability when I started the course. You will not need to create programs from scratch but you should be able to look at code, understand the gist of it and change it to fit your needs. You will be looking at anything from C to Ruby to Python.
  • Practice doing buffer overflows over and over again until it becomes second nature. It's 25% of the exam and can be knocked out pretty quickly so make sure you know what you're doing here. I was worried about having to write a fuzzer from scratch but was assured I wouldn't have to. I don't think I'm allowed to give more details but just know that you are given everything you need in the exam.
  • Immediately backup your course materials and secure them. They are watermarked with your name so if someone gets a hold of them and leaks them...
  • Read and re-read the exam requirements, quadruple check your reports and make sure you turn everything in using the formats required. I've seen complaints from students who rooted most/all of the boxes but failed because they missed some screenshots or something and Offensive Security would not let them fix their errors. That really blows but the harsh fact of the matter is they have no one to blame but themselves. It's just like dropping your tax returns in the mail - once it's sent, it's out of your hands.
  • During the exam, switch between machines every couple of hours or so. This can prevent some of the rabbit holes. This tactic worked very well for me until insomnia and exhaustion ganged up on me.
  • Get some rest during the exam if you can. I tried to sleep but an overactive brain made that an impossibility for me.
  • Don't forget to eat during the exam and stay hydrated.
  • Try harder :)

What's Next?

Given how much respect the OSCP has in the industry, I didn't understand why some people would call it an entry-level certification. After immersing myself in pentesting for the past year I'm inclined to agree with that assessment. Pentesting and security in general are extremely deep fields and the PWK just scratches the surface. My personal to-learn list in no particular order:

  1. Active Directory pentesting - I will probably play with this in my home lab first but this offering from Pentester Academy looks interesting and reasonably priced. I have enough horsepower in my home lab to set up an AD environment but it's not as much fun to solve a puzzle you put together yourself ;)
  2. Python - the syntax doesn't seem too bad and modules like Scapy are extremely powerful.
  3. PowerShell - the commands are long but generally make sense. Figuring it out to use in my rubber ducky wifi script was pretty easy and from what I've seen, it's a huge part of AD pentesting.
  4. Hardware/IoT stuff - popping shells is great but there's a lot to be said for playing with hardware hands-on. I'm having a ton of fun with the Digisparks, recently bought a Crazyradio PA and have a used Ubertooth One en route.
  5. Web app testing - the PWK covered this a bit but kind of superficially. While playing on HackTheBox, I've been completely lost at times because I don't know the first thing about web development.

That's about it. Hopefully you got some useful info out of this. I'll be posting up some helpful scripts with beginner-friendly breakdowns soon.