To obtain the designation of Offensive Security Certified Professional (OSCP) you must first complete the Penetration Testing with Kali (PWK) course. The course is available in 30, 60, or 90 day blocks. I chose to do the course in 90 days.
As many others have said, obtaining the OSCP is HARD. It was, and it was also great fun and captivating. The dichotomy of emotions is like none other. One minute you are frustrated to the breaking point then suddenly extreme joy and elation. The roller coaster that is the Penetration Testing with Kali (PWK) course is not for the faint of heart (eh, it probably is, I’m just trying to paint a dramatic picture here).
My interest in the OSCP started in 2013 after I read several comments on Reddit claiming that this certification is a real test of ability and that obtaining the OSCP provides credibility unlike any other. I was hard pressed to find any negative assessment or legitimate criticism of it. I hadn’t given it much serious thought due to self doubt and I always found excuses not to pursue it.
My interest in the OSCP was reignited once a colleague managed to convince our management that they should approve the PWK. Thanks to @ for lighting the spark. I had recently taken on the President role of my kids swimming club, and this being my first full season at the helm, I was a bit concerned about the timing and how much effort I had to put into the course. That wasn’t going to stop me however, I was motivated and excited to face this daunting challenge. Also, it’s easy to get lost in something when you have a true passion for it.
It wasn’t until late-2015 that I was able to register. The process is different than any online registration processes I have ever gone through. I first had to fill out and submit a form just to get the privilege to register. The email address that I registered with had to be not of a free service e.g. Hotmail, Gmail. Once I received the course information email I had 72hrs to complete the registration. There was a couple of more back and forth emails requesting more information to verify my identity and to make sure all the I’s were dotted and T’s crossed.
After I proved who I was, I completed the registration process. I was then informed that my spot was reserved. The excitement and anticipation was starting to build by this point. The next step included testing the VPN connection and complete payment. After all that … I had to wait about 15 days.
During the waiting period I decided to practice and brush up on various tools and techniques. I endeavored to learn Python (I later discovered that it’s useful to learn, but I didn’t really need to be proficient). Since I wanted to practice and get comfortable with Kali I pulled some boot2roots from Vulnhub.com, fired up Virtualbox, and hacked away. Some of the boot2roots state that they resemble the OSCP lab machines so I set my sights on those. I think spending about 18 hours over the course of a weekend attacking the boot2roots really helped prepare me for what was yet to come. In hind sight, I should have spent more time on documenting my steps.
While I was waiting I also read blogs of those who have completed the OSCP. Some of the blogs made me feel a bit intimidated. Some put me at ease, while others had great information that helped tremendously throughout the whole experience. I would recommend any prospective OSCP challenger to read the Security Sift blog and Mike’s account of his experience.
My time had finally arrived, I was ready to get going full steam ahead. I also happened to be at the GrrCon conference. Once day one of GrrCon was over I rushed back to my hotel room signed onto the lab VPN.
The course materials include a course manual and a series of videos. I found both the manual and the videos very complimentary. Even though the videos walk through the course manual, there are subtle differences and sometimes the videos offer more explanation and context than the manual and other times the manual is more detailed.
The course manual starts off very basic. As the course progresses the topics become more complex. The exercises are very helpful and I found myself going back to my documentation of the exercises while I was in the labs.
It’s a good idea to get in the mindset that documentation is king. You are expected to document all of the exercises in the manual unless noted otherwise. There a several good reasons why you want your documentation to be thorough. The main one being that good documentation may give you some extra points on the exam if you fall short. Another good reason is that if your documentation is good, you can refer back to it during the labs and the exam. As I mentioned previously, I went back to my documentation of the manual exercises frequently during the lab and even during the exam. Half of the OSCP exam is the hands on challenge and the other half is writing the report. If you have good documentation, writing the report will be a snap. Plus, you can submit your documentation along with the report for possible points. Finally, getting used to documentation will help you once you are employed. Much of the value in a penetration test is how you communicate your findings to your clients and relate the finding to their business.
I signed up for 90 days of lab access. I took the first 30 days to go through the course manual, videos, and exercises. Then I began the labs. I’ll admit, I wasn’t completely disciplined towards the end of the course manual though, I actually started attacking the lab machines when I was about 3/4 of the way through the manual. The feeling of pwning the lab machines is addictive.
There’s an interesting feeling that comes over you when you pop a box. A sudden burst of excitement and euphoria washes over you. All that frustration, all that stress that was building up finally to be let loose like a rubber band under extreme tension then suddenly let go.
The lab consists of a range of machines of varying difficulty all designed to challenge you and to get you to try harder. It becomes clear as you progress through the lab that the lab is designed to offer challenges similar to what is taught in the manual. That being said, there are plenty of lab machines that are very unique and require significant research. Being able to use a search engine and understand how to perform advanced searches is key. It was certainly a major factor in my success. I would also advise that you become very familiar with Exploit-db. There are many answers to be found there, however, it does not hold them all. This course makes the phrase think out side the box a requirement. Remember the Offsec motto “Try Harder”. They were not joking.
I will mention documentation again because it is that important. Think about how you can organize it. I used KeepNote for documenting my time in the lab. I created a hierarchical model with a template that I had at the ready for each machine. It acted like a checklist of sorts. I included a section for enumeration with all of the common tools so I could capture the output, then a section to document how the initial access into the system was obtained. I also included a section to capture how privileges were escalated and finally a page to document loot.
There were hidden treasures throughout the labs. Almost like side challenges if you think about it like a video game. I ended up writing a script to brute-force an encrypted rar file that had some goodies. Ultimately I’m not entirely sure if there was a reason to get the loot and explore the rooted machines, but it was fun to do. The loot added a level of realness to the experience. I looked at it like I would include the loot in the report as proof of a control weakness. For example, if you are presenting your findings to the client and they say, “so what, why do I need to worry about this” you can say, “identified weaknesses contributed to the exfiltration of sensitive information e.g. bank account numbers”.
The lab tries to emulate an environment representative of a real corporate network. There are “public” machines then a series of nested segmented networks. The ultimate challenge (besides passing the final exam) is to gain access into a specific internal network. Unfortunately for me, time constraints and other obligations prevented me from owning all of the machines. I was however able to progress into all of the networks. I would have liked to spend another 90 days on the lab but I was confident with what I had achieved and decided to schedule my exam date.
Unfortunately I wasn’t able to get an exam date near the end of my lab time. I ended up waiting about 30 days from when my lab time expired. I used up every last second of my time to the point where I watched my VPN connection drop.
For the next 30 days I polished up my notes, went through the manual, and then I tried to forget about the exam. To me, this was important. I had to let my mind be at ease and think about other things for a while. I think this had some effect on the outcome because I wasn’t in a panic when the exam finally started.
The day before the exam I made sure to have my work environment setup. I had food at the ready, an ample supply of beverages and plenty of caffeine. I had scheduled my exam for a Saturday with the plan of completing it on Saturday/Sunday and writing the report on Sunday. I also took Monday off to recover. That ended up being a good move.
On the morning of the exam I woke about 2 hours before the scheduled start time. I got my workstation ready, ate breakfast, and did a little exercise to get the blood flowing. Those two hours felt like an eternity. I was nervous and anxious at the same time. Nanxious? I tried to take my mind off the exam and put myself in a zen like state. I tend to perform better when I am relaxed so it was crucial that I find a way to clear my head. Oh who am I kidding, I stared at the clock like a child stares out the window waiting for Santa Clause to come on Christmas.
9am, check email, no OffSec email. 9:00:30 new mail “Penetration Testing with Kali Linux – OSCP Certification Challenge…” as Bruce Buffer would say “IT’S TIME!”
The exam email contains all the information you need to connect to the exam lab, the VPN connection pack, the Exam Guide, and the list of targets.
The targets are selected by Offsec from a pool of machines. Each target is assigned points. To get the full number of points you need to get root. Some points are awarded when a low privilege shell is obtained. It takes 70 points to pass the exam. That means you need to get root on most of the machines to pass.
The types of targets vary for each person but at least one is dedicated as a buffer overflow machine. You are provided with a test machine that is pre-configured with all of the tools needed to develop the buffer overflow code.
In total it took me about 21 hours to get enough points to pass. I was almost ready to throw in the towel when I found the attack vector that worked. Had I been more methodical in my approach, I could have saved several hours. I overlooked some basics and disregarded low hanging fruit. It’s really easy to over think things which for me wasted a lot of time. When I finally found the attack vector that allowed me to pass, I went from feeling defeated and exhausted to excited, energized, and I jumped up and did a little dance.
The hard part was over, I summited the mountain that is the OSCP challenge, now I had to write the report. I was sleep deprived but too excited to sleep. After about 3 hours I was finally able to get some rest so I could manage to write the report.
Previously, I mentioned that documentation is king. I wish I would have taken better notes and documented my steps better, but I managed to put together a report. The exam guide provides a report template and lists the minimum requirements for what should be in the report. I made sure I at least met all the minimum requirements. My report writing strategy was to consider who the reader would be and to write the report like I was communicating the findings to several audiences.
The executive summary contained the high level view of the findings, the potential impact to the business and a high level view of how to resolve the problems. I wrote it in a way that an executive could consume the information quickly and in a way that adds value. The next sections included more detail and were written like I was communicating with the management team responsible for fixing the problems based on the report findings. The appendix contained even more detail for the technical staff who would ultimately implement the solution.
It took me several hours to get the report just right. I read, re-read, and re-read it again to ensure there were no typos and that the report made sense. Since I had managed to get enough points to pass I opted not to submit my course notes and lab notes for points. I was confident in my report writing abilities that I didn’t need the extra points. I was also exhausted and I was getting near the submission deadline.
I packaged up the report as outlined in the exam guide and submitted it. Once I got the receipt confirmation email I was finally able to relax and get some needed sleep. The OSCP challenge was over.
Offsec asserts that after the report is submitted you will receive the results within three business days. I only had to wait about 24 hours to get my results. 9am Tuesday morning it arrived. An email with the subject “Penetration Testing with Kali Linux – OSCP Certification Exam Results…”. I eagerly open it to see my results. I had passed!
The PWK and OSCP Challenge was one of the hardest and rewarding things I have done. I don’t think anything has ever captured my attention more or made me more obsessed. I learned a lot from the course. The cost benefit of the course is well worth it. Offsec says that once you are a student, you are always a student. This means that if you want to add more lab time at any time you can for a very reduced rate. So if you’re reading this blog and are on the fence about signing up, just do it. You won’t be sorry.
These resources helped me successfully complete the OSCP Challenge: