It was a 9 month journey but on 8th of February I passed and became an OSCP on my 1st attempt.
Before I begin, I would like to thank a couple of people who made this amazing milestone come true.
First, I want to dedicate this post to my parents. Thank you for giving me the time to focus on this and also to prepare for this journey. I know during my journey I did not get to spend much time with you since I was pretty much on the computer every single day just prepping for this. I cannot thank you enough for supporting me and to keep pushing me to follow my dream. I will always be here for you.
Second, I want to dedicate this post to my girlfriend. Thank you for being supportive and for letting me rant about my issues or when I got super happy to get a shell on a machine. I know I sacrificed a lot of time where we could have gone on dates or to be with each other but you gave the space and time I needed to complete this. I love you very much.
Lastly, I want to thank the InfoSec community and my friends who stood with me when it mattered a lot. A lot of you reached out to me in so many ways to check up on me and to support me through this journey. I know there were times where I even ranted to you about my journey and you were there to comfort me. I could list every single person that has reached out to me during this journey and this post would just be endless! Thank you for inspiring and also motivating me to learn more. I hope that I can always help someone in this field to learn something and be able to provide support when they are need.
Having a Bachelor’s degree in Electronics and Telecommunication engineering, I had a good foundation for understanding TCP/IP stack, programming languages, data structures, and the stamina as well as the will to self-study and do a lot of research, which is very important for PWK course. I was also working in the field of information security from past 2 years, which made my understanding much easier to understand security concepts, such as the significance of threats, vulnerabilities, and their associated attack vectors along with their remediations. As I was preparing for OSCP, I started doing a lot of CTFs from places such as VulnHub (https://www.vulnhub.com) and HackTheBox (https://www.hackthebox.eu). I was aware of the concepts; however, I still gave my time to learn all the concepts that have been listed in PWK course. This does not signify I became a “1337” or achieved God level. PWK course provides you more ways, tricks, and methodologies which you can use to perform real-life penetration test, as mentioned on their website, https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/. Penetration Testing with Kali, or PWK, is the well-recognized course provided by Offensive Security, and is one of the respected courses in the infosec community. The course is a prerequisite in order to appear for OSCP examination.
PWK Course: What to expect in the labs?
You can take lab time of a minimum of 30 days, up to a maximum of 90 days. Purchasing labs also provide you one complimentary examination attempts. Once you register, you select the week you want to start your studies — specifically a Saturday/Sunday is when a new course beings. It is encouraged to register 10–30 days before your expected start week, since time slots fill up really fast! On your assigned course start date, you’ll be provided access to download all your course materials, including the 8-hour Offensive Security PWK course videos, the 370+ page PWK PDF course, and your VPN lab access. Once your lab time starts — it will be a continuous block, meaning that you can’t stop/start it at any time after the start date.
You would have to learn a bit of python for scripting purposes, refer a lot of places, such as Google, for information gathering, getting familiar with tools, such as Nmap, Nikto, Metasploit, Burp, and various others, reading more about what tools do, how can you use these tools to your advantage with the features that are given in the tool (the options to be used while using it). You would also be required to know some basic commands for Linux and Windows CLI. The importance of knowing CLI commands in the course is important. Per Offensive Security, the course has been segregated in the following topics:
· Getting comfortable with Kali Linux
· The essential tools
· Passive information gathering
· Active information gathering
· Vulnerability scanning
· Buffer overflows
· Win32 buffer overflow exploitation
· Linux buffer overflow exploitation
· Working with exploits
· File transfers
· Privilege escalation
· Client-side attacks
· Web application attacks
· Password attacks
· Port redirecting and tunnelling
· The Metasploit framework
· Bypassing antivirus software
· Assembling the pieces: Penetration test breakdown
When starting my OSCP journey I opted for 90 Days in the labs (3 Months). I thought that this would be plenty of time for me to go through the PDF, Videos, and Lab, and that it would provide me with enough room if some days/weeks would be too hectic for me to study. I received my course material on 18th of November, 2018. I instantly got to work going through the PDF and supplicating each chapter with its respective video. It’s recommended that you go through both the PDF and Videos as the videos sometimes have more details then the pdf — which should help shed some light on a few things. I spent about a week going through the whole PWK Course and a few of the Exercises, and spent a lot of time on the Buffer Overflow section, as that was one of the topics, I knew I wanted to ace! Overall, for me, the PWK Course was honestly a refresher — the only thing that was beneficial for me was the Buffer Overflow and Pivoting sections of the course. I only completed about half of the exercises before I decided to jump into the PWK Labs.
Now do note, that the PWK Course doesn’t provide you with everything you need to know! The Course is there to help build the foundation and teach you the initial basics you need to succeed. There will be countless things that you will still need to learn/research yourself during your time in the labs — so I suggest you brush up on your Google Fu!
The PWK Lab
The PWK Lab is the meat of the PWK Course. This is where most of your learning takes place. The lab has more than 50 Machines total of varying OS’s, vulnerabilities, and misconfigurations separated in 4 different network sections — Public, IT, Dev, and Admin. Your goal is to get access to the Admin network, but for some, the goal might be different — so don’t let it get to you if you can’t get into the Admin network!
All the machines in the lab vary in difficulty — some are easy, while some are “bang your head on the table for hours on end” hard. There might be a time in the labs where you think a machine is invulnerable… and you might be right, but that’s not how the course was set up. The PWK Lab was configured to simulate a real live network environment, which means that some machines interact with one another and could be compromised by Client-side attacks. Other machines on the other hand might have information on them that can lead to the compromise of another machine in the lab. In general, you should never leave any stone unturned and properly enumerate. If you find yourself stuck, you can always access the OSCP Forum on NetSecFocus and IRC to ask for help or to browse for hints. Don’t worry if you need to do so — it’s part of the learning process! Just don’t get aggravated if most of the answers you get are “Try Harder” or “Enumerate!”, because chances are, you didn’t enumerate properly and missed a critical piece of information.
At first when I got into the Labs I was overwhelmed; I didn’t know where to start! Thankfully, the PWK Course goes over some simple enumeration scans, which can aid you in starting your attack. During the whole time I used OneNote to keep track of all my notes, scans, commands, and screenshots.
Upon jumping into the lab, I ran a small set of scans with Nmap and came to notice a specific service running on one of the machines, one that I previously saw when doing a machine in HackTheBox! I got so excited that I attacked the machine right away — within an hour, I had root access and managed to learn a few new things! It was honestly a great start. Within 30 days, I managed to root 30 of the devices — including the coveted Pain and Sufferance — and had access to the Dev and IT network. At that point, I opted in for the OSCP exam and locked in the time for February 3, 2019 at 9AM.
At first, I went through the Lab using Metasploit and some manual exploitation. For the last 30 days, I went back through all the machines I exploited via Metasploit and managed to do them all manually — either by porting over the Metasploit Exploits via Python, or using third party scripts and tools to connect to services such as MSSQL, etc. In all honesty, this was a great idea as it helped me better understand exploit writing, and it aided me during my OSCP Exam.
Finally — February 3 came around. I woke up around 7:30AM — ate some breakfast, drank some tea, and went for a walk to relax and catch my thoughts. By 8:30 I was sitting at my desk, all my workspaces in Kali were configured the way I liked. Sure enough, at 9AM I got the email from OffSec with my Exam VPN and instructions. I took 15 minutes to read everything and make a mental note on what I needed to do. By 9:30 I was off and taking on the first machine. 1.5 hours after my initial start time, I finished one machine. I was able to exploit the machine and attained a root shell! I was a nervous wreck, and the butterflies in my stomach were acting up, but by 12PM I had two machines rooted with 35 points under my belt! At this point I decided to step away for 30 minutes and take a small break.
After a relaxing break, and some food in me, 2 hours later I was able to attain a limited shell on another device using an actually pretty complex and interesting method. An hour later, I was able to attain a high privilege shell, brining me to 60 points! In all honesty I overcomplicated the process and missed a critical piece of information — I only found it when I went back and enumerated again!
I went on, picked another target and started performing enumeration. Achieving shell on the machine was easier than I was expecting. This, in turn, gave me a total of 70 points! I was ecstatic and certain at that point that I am close to clear the examination and get the coveted OSCP certification. Now I shifted my goal from getting passing marks to getting all the challenges done that were provided to me.
For the next 4 hours I was at another roadblock. I couldn’t find a way to escalate privileges — even though I went through the process twice. Nothing seemed to work till 11PM, which made me feel frustrated a lot. I found myself bouncing back between the privilege escalation and the other machine, hoping to find a way to get the final limited shell, or to attain root. By 2AM I gave up trying to get root and made up my mind that I need the other limited shell, which I got after I took a nap for an hour.
After a brief nap, I started to do the last machine. To be honest, getting the shell was really tough and hard, because I overlooked some information at first, which was really important. Once I read that piece, I realised that I was running back and forth into a rabbit hole. I was able to achieve a shell at 4AM. By 6 AM, I was done with the last challenge. This made sure that I have 90 points — enough to pass the examination. I was unhappy that I was unable to get root on the other machine, but being very exhausted, I tapped out. I woke up around 1PM the next day and began working on my report which was about 40 pages long and pretty detailed. I submitted my report at around 9PM Monday morning. After a long wait, I got the message on Friday.
All I can say is — wow! I have the upmost respect for anyone that takes the OSCP Challenge and passes it. This is by far one of the hardest challenges that I have done to date and it has taught me a plethora of new things that I can utilize in my day to day work activities. I sincerely want to thank OffSec for this amazing experience and opportunity, maybe I’ll do the OSCE next!
Tips and recommendations
I know that many of you who will be reading this post will ask for tips/recommendations on either preparing to take the OSCP or on how/what to do during the exam. Well not to worry — in this section I will break down and include a lot of the materials I used to prepare for the OSCP as well as some tips/tricks to use for the exam.
In the PWK Course, OffSec states that you need to understand the following fundamentals to take the course…
Penetration Testing with Kali Linux is a foundational security course, but still requires students to have certain knowledge prior to attending the online training class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus. This advanced penetration testing course is not for the faint of heart; it requires practice, testing, and the ability to want to learn in a manner that will grow your career in the information security field and overcome any learning plateau.
If you are somewhat unfamiliar with these basics, here are some links to help you learn the required materials:
- TCP/IP & Networking
- Networking Basics: TCP, UDP, TCP/IP and OSI Model
- Common Ports & Protocols
- Security+ Section 1: Network Security
- Nmap Basics
- Linux & Bash Scripting
- OverTheWire — Bandit
- Bash Scritping Tutorial
- Null Byte — Linux Basics
- Codecademy — Python
- Python 2.7.14 Documentation
Now that you have a fundamental understanding of the basics, you need to practice… a lot! If are pretty new to Penetration Testing and think that taking the OSCP will teach you — then you are dead wrong! You need a lot of previous training and experience to even attempt something like the OSCP.
The following materials below will help you take the first steps into Penetration Testing, and for those who are already experienced, it will help you practice and expand your skills.
- Cybrary — Penetration Testing and Ethical Hacking
- Cybrary — Advanced Penetration Testing
- Cybrary — Web Application Penetration Testing
- HackTheBox Walkthroughs by IppSec
- Penetration Testing: A Hands-On Introduction to Hacking
- The Hacker Playbook 3: Practical Guide To Penetration Testing
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
- Black Hat Python: Python Programming for Hackers and Pentesters
- Hacking: The Art of Exploitation, 2nd Edition
- Practice Labs
- OSCP like VMs:
- Kioptrix 1–5
- FristiLeaks: 1.3
- Stapler: 1
- PwnLab: init
- Brainpan: 1
- Mr-Robot: 1
- HackLab: Vulnix
- VulnOS: 2
- SickOS: 1.2
- SkyTower: 1
- Practice on the Retired Machines too… trust me!
- Pentestit Labs (Advanced Only!)
- PentesetLab — Bootcamp
- Exploit Exercises — Mainsequence
- OverTheWire — Natas
- Study Materials & Guides
- Awesome Pentest
- Security Notebook
- Spawning a TTY (Interactive) Shell
- Reverse Shell Cheat Sheet
- Metasploit Fundamentals
- Creating Metasploit Payloads
- Windows Privilege Escalation
- Windows Privilege Escalation Fundamentals
- Windows Privilege Escalation — Checklist
- Quick Notes
- Linux Privilige Escalation
- Basic Linux Privilege Escalation
- Linux Privilege Escalation Scripts
- Exploit Exercises — Nebula
- Buffer Overflows
- Exploit Writing Tutorial Part 1 : Stack Based Overflows
- Exploit Writing Tutorial Part 2 : Stack Based Overflows — Jumping to Shellcode
- Intro to x86 Assembly
- Exploit Exercises — Protostar
I know that there is a ton of material here, and it might seem overwhelming at first — but do know that much of these topics overlap each other once you begin studying offensive security. Remember, it takes time to learn — you need to enjoy the process of learning, or you will never get to your end goal! Take it slow, start with the basics, and work your way up.
As with everything, there are always certain things that you should know and be doing during the PWK Lab and OSCP Exam, these following tips should help you stay on focus and to stray away from rabbit holes.
- Enumerate, Enumerate, Enumerate!
- Simple Nmap Scans w/ Script Scanning are your friends!
nmap -sS -sV -sC -n [IP]
nmap -sU -sV -n --top-ports 200 [IP]
3. Enumerate SNMP (UDP 161) if it’s open!
snmp-check -t [IP] -c public
- This will show other open ports/running services and applications!
4. Enumerate SMB (TCP 139/TCP 445) if it’s open!
- This will show open shares, anonymous logins, etc.
5. Run nikto on interesting directories!
nikto -h http(s)://[IP]:[PORT]/[DIRECTORY]
6. DirBuster over dirb. Opt for using the medium wordlist for better results!
7. Check for anonymous logins for FTP/SMB!
smbclient -L \\[IP]
8. Check for WebDav! Nmap script scan should pick it up! If not…
davtest -url http(s)://[IP]
9. Don’t overthink it! Try low hanging fruit first!
- Password the same as Username?
- Username/Password combo of
- Google the Documentation. Default Credentials/Login?
10. Rotate machines every 3–4 hours. Don’t tire yourself out!
11. Have an idea? But it seem impossible? Try it… you never know! =)
12. Take frequent breaks. Opt for 10 minute break every 2 hours.
13. Eat and drink! Make time for Lunch, and Dinner. Your brain needs food to function.
14. Limit caffeine intake, 1–2 cups of coffee is okay! But, drink Tea and Water.
15. Don’t have any snacks next to you. If you’re hungry, walk to the kitchen for a snack, this will make you walk away from your PC and will help clear your mind.
16. Breath… relax… you got 24 hours!
17. Organize your notes, take screenshots, and document everything!
18. A few days before the exam create and edit your report outline.
19. In the PWK Lab, practice the Buffer Overflows till you can do them by heart and without notes.
20. Don’t give up to easily, and most importantly… “Try Harder!”.