This post will serve as record of my journey to obtaining the Offensive Security Certified Professional (OSCP) certification (and because I’m pretty sure it’s a requirement to write a blog post about it). I plan to continuously update this as I progress through the course and eventually (hopefully) obtain this coveted certification (EDIT: So much for continuously updating. I simply spent all of my free time working towards this cert). I won’t be discussing any details of the lab or exam as that’s a big no-no. However, I will be discussing my experiences, how I prepared, and what works for me.
I’ve always loved computers. I went to college for computer science as I thought I wanted to be a programmer. For some reason, I changed my mind & decided that while I do like coding, I don’t think I’d like to do it as a full-time job. So after college I didn’t know what I wanted and just got a job doing what I knew how to do, fix computers. After working a help-desk job for a while I eventually started doing systems administration work. I should also mention that I joined the Air National Guard right after high school. A few years ago our unit started the process of standing up a brand new cyber squadron. As I was currently doing help-desk work in my Guard unit (and not enjoying it), I decided to switch to this new squadron. This also afforded me the opportunity to get my first taste of cyber security. I attended Operation Cyber Shield, a blue team training exercise. I managed to get on red team. This gave me my first taste of Kali Linux, Metasploit, nmap, etc. And I loved it! Ever since then, I’ve been doing everything I could to learn more about security. I’ve also had a fascination with penetration testing. Once I learned there was a cert that had you do an actual pentest as an exam, I’ve had my eye on it. But I wanted to be prepared. So for the next few years, I would sporadically do CTFs.
And so it begins…
As of writing this paragraph, it is Friday, March 1st 2019. Earlier this week I got registered for 30 days of lab time and will be obtaining my lab access starting March 17th. On that day, I’ll get my course material and access to the lab environment. I started with 30 days since I do have some experience with CTFs. I’ve done a bunch of Vulnhub VMs, HackTheBox machines, and a few of SANS Holiday Hack Challenges. If I do need to buy an extra 30 days, it’ll only cost $50 more than if I were to have purchased 60 days from the start.
In the mean time, I’m brushing up on some missing knowledge (e.g., getting shells via SQLi) by reading the book Intermediate Security Testing with Kali Linux 2 by Daniel Dieterle as well as going through this great tutorial on buffer overflow vulnerabilities: https://github.com/justinsteven/dostackbufferoverflowgood
Friday, May 3rd, 2019
My original idea of updating this post along the way went out the window. With only 30 days of lab time, I ended up cramming a lot to prepare for the exam. Who knew that having a 3-year-old to watch and a pregnant wife to take care of would suck up so much time?
I took my exam last week on Thursday and got an email on Sunday morning saying that I had passed! A much faster turn-around than I was expecting. For the exam, you’re required to write a report on how you exploited each of the 5 machines (IF you were able to exploit each of them). You also have the option of submitting a lab report, which includes how you rooted no less than 10 machines and the answers to the exercise questions in the course material. You can get an extra 5 points on your exam score with this report.
While I opted to create and submit the lab report, I almost wish I hadn’t spent the time on it and just practiced on the lab machines instead. I kept seeing posts on the OffSec forums & the OSCP sub-reddit from people that either barely passed because of their lab report or would have passed if they had done it. I believe I fall into the former category. While the PWK course material is great content, especially if you’ve never done this sort of thing before, it doesn’t really prepare you for the exam. The best way to prepare for the exam is to work on the lab machines. I spent a good 2 weeks on answering the exercise questions, which only left me 2 weeks to work on the lab machines. If it weren’t for my prior experience in working on VulnHub & HackTheBox machines, I’m sure I would not have passed with only 30 days of lab time.
I woke up at 6 am on exam day and went through my normal morning routine to help my wife with getting the kid ready for day care. I started the exam at 8 am. My first task was to fire up AutoRecon to start scanning the 4 main machines, then start working on the Buffer Overflow machine. The BOF machine took about 45 minutes and by the time I was done, I had a bunch of scans to read through. About 6 hours into the exam, I hit a wall. I had rooted the BOF machine and got a low privilege shell on 3 others. For the next 12-16 hours, I got, virtually, nowhere. Finally, after a fresh cup of coffee and a few more tweaks to an exploit, I rooted the 10 point machine (yes, the easiest one…). Shortly after that, I was able to get a low privilege shell on the last machine and didn’t have much time to try to escalate privileges on that. So by the end, I had rooted the 10 point & a 25 point machine, and got a low privilege shell on the two 20 point machines as well as the other 25 point machine. I can’t help but wonder if I would have done better on privilege escalation if I didn’t spend so much time on the lab report…
My best advice for the exam is to think outside the box. While I hate that advice as it doesn’t really help anyone, it’s the best I’m allowed to do. The exam really makes you think. There’s plenty of rabbit holes and nothing is as easy as “discover service, get version, find exploit, and execute script to get shell.” Though I will say the buffer overflow portion is the most straightforward thing on the exam.
I just wanted to list a few of the tools that I found invaluable for both the exam and the lab machines.
Scanning & Enumeration
As I mentioned before, AutoRecon is a great tool for enumeration. It’s incredibly noisy, so I wouldn’t use it in a real environment, but it’s great for OSCP or a CTF-like environment. It’ll nmap scan for all open ports and automatically enumerate the individual ports with additional tools. For example, it’ll run enum4linux when SMB is open or Nikto when an HTTP server is running.
You may be familiar with Gobuster to brute force search directories & subdomains of websites. But for some reason, it won’t search for directories recursively. And maybe you’ve used Dirb to recursively search for web directories. If you want the speed of Gobuster and the “recursiveness” of Dirb, try Recursive-Gobuster.
Any time I’m able to upload a file to a website running PHP, my go-to tool for getting a reverse shell is php-reverse-shell from Pentestmonkey.net.
Working on the OSCP lab machines, I used msfvenom a lot to create a reverse shell payload. To help cut down on the amount of time looking at help output from the tool itself, I used the MSF Vemon Builder from PenTest.WS. You’ll need to create a free account on their site, but it’s well worth it. From their site: “PenTest.WS is a penetration testing web application for organizing hosts, services, vulnerabilities and credentials during a penetration test. A reporting module is available for documenting and delivering a full penetration test.” The MSF Venom Builder is basically a GUI tool to craft an msfvenom command as well as to start a listener in msfconsole.
Once I got access to a machine, there were several scripts I would use to enumerate the system to look for ways to escalate privileges. On Linux systems, I would use LinEnum. For Windows systems that have PowerShell, I used PowerUp. On systems that don’t have PowerShell, I’d use Powerless.
Obviously, there’s a lot more tools I used, but these are my most common ones.