My OSCP Journey

To establish my street cred and give an insight into where my perspective comes from, my background is mostly in perimeter security where I have been working as a blue team engineer / consultant for the last 10 years, primarily with network and application firewalls of multiple vendors Check Point, Fortinet, Cisco, Juniper, Palo Alto, Imperva, McAfee, along with multiple security products

After acquiring an interest for offensive security in 2014 I got the eCPPT or PTP certification as it is referred now, a week after I got the eCPPT certification my sons were born. As a father of twin toddlers my time is always borrowed so I decided to finally tackle OSCP in 2016 when I was feeling I had the time to commit.

Preparation

In preparation of the course it self I revisited all my notes from eCPPT, all the material surrounding Buffer Overflows, Metasploit as well as scripting where I was rustiest after not doing much apart bash scripts on my day job.

To that end I decided to buy a couple of books just to sharpen my skills a bit and go on the front foot of the basics.

The 3 books I bought and read:

BlackHat Python – Great python book, I developed some great tools because of this.

WebHacking Exposed– Good book, more on the basics side but a great start for beginners.

GrayHat Hacking 4th Edition – A great all-rounder, haven’t gotten around to finishing it.

One fine day, when I felt ready to kick the tires on this project I enrolled in the course with a start date of early September, I opted for the 60 day lab access with high hopes of taking the exam before Christmas.

After a month of reading and waiting for my company to approve the cost of the course (they were kind enough to foot the bill, who am I to insult them), I finally got the confirmation that my registration was complete and I would be starting on the requested date.

My heart skipped a beat with both anticipation and sheer anxiety as to how well I would cope, this course has a reputation of being intense and I had to balance my time between.

Course and Labs

I started the course on the day the email came through after going briefly into the material I started downloading the custom Kali image, login the forum, join the chat room and finally read the material, I felt giddy and a bit lost at the same time.

So being a simple git I decided to keep it simple and not overstress about the lost lab time but start by going through the material and deal with the lab itself later. I went through all the exercises and videos within 7 days and then it was on to the lab.

The material is very basic and serves into pointing you to the right direction rather than hold your had through it. This is where I disagree with Offsec and I believe their material should be more entry level friendly as this is an entry level exam, e-Learn Security was more educational, although it did take some shortcuts that Offsec didn’t, yay to me for having both.

The labs…. What can I say… I felt like a lost puppy the first few days looking for the low hanging fruits and struggling to map out the lab as it is vast. So I created a spreadsheet with the live hosts I could detect as well as the progress I had made on them.

After spending a few hours enumerating a host if I hadn’t any obvious lead I would park it and move on, slowly and steadily the low hanging fruits fell and some machines implied their dependency on me, its all about becoming methodical and thorough.

It cannot be stated enough, enumerate enumerate enumerate! If your stuck somewhere you haven’t researched it enough!!!

My Spidey sense started becoming attune as to which hosts had more for me to enumerate either pre or post exploitation and which seem to be dependent on something else. A huge boon to this was the forum which people gave hints vague at first but after a few hours of struggling with a host you get that Eureka! moment where you understand “Oh that’s what he meant”.

The admins will give you a hint if you are hopelesly stuck but will not ever give you an outright solution, also moaning about it will get you the opposite of what you want, if you generally display a decent effort you will be awarded… by none other than yourself, this course teaches self reliance if anything.

Research into alternative tools (ex fuzzing) enhanced my arsenal and soon I was using 3-4 different tools of the same scope to attack a host with varied results, what was beautiful about the lab though, is that the best results were yielded but all hands on work. A good number of hosts requires you to exploit a misconfiguration rather than a known skr1pt k1dd13 exploit, which forces you to research and understand the intricacies of both OS and applications.

The big four (Pain, Sufferance, Gh0st, Humble) kicked my teeth in many times and they took me through the emotional rollercoaster of :

1.Let’s have some fun

2.Oh sh1t what’s this

3.I’m Fn stupid

4.Kneel before r00t!

The admins will not give you any hints on these and you will need to man up and take them on all by yourself.

What was surprising is that although I pretty much left those for last I found in the forum posts that people who had sliced and diced the big four, had a hard time with some machines that I found relatively easy and here cometh the lesson:

Your exposure and experience determine what is difficult, each student faces different challenges depending on their knowledge and experience that is unique to them, you may be good at web exploitation for example but you may not be in network or scripting or puzzles etc.

Offsec did an awesome job to create a monster of a lab that will test its students in a variety of ways, furthermore many machines are vulnerable to multiple vectors so you have a lot to play with. It’s all about patience and persistence.

After extending my lab access and a total of 80 days of gruelling, relentless battle in the labs all hosts were checked off in my list J Woohoo!!! Time to book the exam.

The Exam

Game time! After all you go through in the labs you don’t feel ready and you shouldn’t, complacency is not something you can afford.

I spent my last 10 days in the labs knit picking the hosts I had selected for my lab reports and found out I had a few holes in my notes (hard to think straight at 4 in the morning) which I couldn’t remember what exactly I had done. Uber valuable for the exam itself (as my eCPPT experience also taught me), I kicked myself in the backside to keep better notes.

I also created a monster cheat sheet of all topics that I can quickly reference at the drop of a hat for the exam, I polished my scripts and then waited.

At 09:00 on the Monday that I had selected for the exam the email arrived, or rather didn’t in my case thanks to our new anti-spam (made note to self to drop lots of spit in my mail admins’ coffee), luckily I had registered my other email with the admins and after a quick chat with support, 09:15 I was off to exam land.

The first few hours were just keeping calm, reading through the exam objectives and following the overall enumeration process steps I had developed and had documented for myself. The “easy” hosts of the exam were selected to get the ball rolling, but in reality I was running some iterations of tools to capture all the information I could obtain from the auto and semi-automated tools.

3 hours later the first host fell and I was midway into another, that was the end of the fast track though as I stumbled my first big hurdle, in short the next 10 hrs were spent on one host, after that it felt downhill although I did not let myself get cocky, I spent another 8 hours going after the rest of the hosts, in the end I had only one host left which I managed to get a low priv shell only.

In between I ate, cried laughed, did some pushups, took a few rides on the previously mentioned roller coaster and finally at about 05:00 in the morning I was done, I had done as much damage in the lab as I could and had collected as many screenshots, notes and evidence I could.

After a 3 hour nap it was on to the report, I spent about 6 hours writing it, in the words of Armando Romeo founder of e-Learn Security, writing the report is like telling a story you already know, this is where the detailed documentation came in handy.

I spent another 4 hours revising it and going through all the stupid mistakes one makes when one is more than 24 hrs into it and with a slight sense of dread I uploaded my reports (lab and exam). 8 hours later I got a simple email confirming my submission.

I chose to report on 15 machines in the lab and that ran me 220 pages of fully documented (with screens and code) material, the exam report was an even 64 page document. Some people tend to be more brief, I chose to go fully documented.

The worst was ahead, the wait… I was climbing the walls for 3 days until one fine Thursday evening I got a confirmation I had passed… a huge weight lifted off me and I could enjoy Christmas with the kids and be jolly.

Lessons learned

  1. Never give up, ever! If you can’t find a solution you haven’t looked hard enough.
  2. Document your notes in a clean way. Pass on what you learned (without spoilers ).
  3. An hour of careful enumeration saves two days of …. Frustration.
  4. Nothing is impossible except turning back time, so manage it carefully.
  5. Don’t be intimidated but also don’t get cocky.
  6. I never realised how much I wanted this until it was 03:00 and I hadn’t peed for 6 hours.
  7. Buy tons of flowers /gifts for the wife as she will need to back you up big time!
  8. Have fun !!! Even if you fail that’s ok, a setback = a setup for a comeback.

Leave a Reply

Your email address will not be published. Required fields are marked *