Hi Guys !! Great news, “I TRIED HARDER”. I have successfully completed Offensive Security’s OSCP certification and I would like to share my Journey and a few suggestions for those pursuing the OSCP exam or planning to take the course.
I prefer to keep this as short as possible and keep aside common rants of TRY HARDER !
The whole journey is put in 5 Key sections: Before taking the course , Preparation , Examination , My Examination, References.
Before taking the course:
Often the question that arises with most of the security geeks out there is whether they are prepared to take the OSCP course or not, because yes it costs a lot and it would be great if your company supports your excellence by sponsoring your certifications. Here is a broken down list that I personally feel is necessary for any security enthusiast to consider before he takes the course.
- Knowledge of operating Linux OS is a must , you don’t need to be a pro but one needs to understand what one is doing.
- Also have the knowledge of Kali Linux tools which concern to Information Gathering, Enumeration, Vulnerability Assessment and Penetration Test.
Note: Yes OSCP course will walk you through these tools, however getting acquainted with the tools within the prescribed course period is time consuming.
- Being an Indian and witnessing the Security scenario , Consultants and Testers are usually not allowed to perform an aggressive style testing that is taught in OSCP, we are restricted to taking local shells and report our findings. So if you are one among those i strongly suggest a practice on VulnHub machines. Once you get a hang of what is expected and what aggressive testing is really all about you will get into the mindset of compromising a machine and then elevating the privileges. This mindset will help you greatly in the OSCP labs.
- It’s often heard from a lot of people that scripting is required for OSCP else it will be very difficult to give the exam and labs. Let’s be honest it’s a myth, scripting is an added advantage and as a security tester you are expected to get your hands dirty with code. However for OSCP the core is you should understand what are you executing, it is a very wrong approach to match a vulnerability with the exploit title and just run it blindly and HOPE to get a shell. One should always go through the exploit along with its comments and understand what it is expect to do at minimum how is it connecting to the remote host and what is the shellcode being executed.
- Making sure you have enough time to practice on the labs while you are working in an organization , Time Management is really really important here to plan the number of days you will need to take the course , offcourse there is no harm in not considering as extensions to the labs are available but it is always better to plan an work towards it.
This is pretty much what you need to consider before taking OSCP.
During the Course:
Once you have taken the course you will be provided with a PDF , video series and the Vulnerable lab network. This is going to bring you a lot of joy as one will be treading over a lot of uncharted territory something not done before. It is a must to go through the PDF and videos briefly and practice the exercises if the concepts mentioned are new to you, if the concepts are already known and clear then there is no harm in jumping directly to the network lab. There will be times when one messes up and gets stuck in the lab and the admins in the Help section of Offsec will just hint you towards TRY HARDER !! i recommend to keep these things in mind while doing the course.
- Always remember the Machines are vulnerable and few of them are kept difficult for a reason.
- It is important to keep notes updated for all the machines as there are a lot of inter dependencies. Also switching between so many vulnerable machines make it difficult.
- Always keep note of the attacks and vectors , look at tall the potential open ports and enumerate properly.
- Personally i did a complete enumeration of the machine post which it was pretty easy to compromise the system.
- There are many blogs out there on the internet that have different tips and tricks for the restrictions of validation bypass that are levied in the OSCP network.
- make sure to do the exercises from the PDF if you are a first timer and new to these concepts they will help a great deal
- Yes the exam is tricky and it will force you to think out of the box but do not get discouraged.
- Always make sure you stay calm , keep hydrated and take breaks. You will be surprised to know that majority of the road blocks can be solved by taking a break from a gruesome tiring testing and enumeration as you might be stuck somewhere but when you sit back and get to it again you go through the entire enumeration you have done and are likely to end up finding the fishy point.
- Go through the exam rules very carefully , trust me this is the most important as you are not allowed to use certain tools which you might have extensively used in the lab to break the machines.
- Buffer Overflow is pretty basic and easy if you have done the PDF content correctly, so do not trouble yourself much over it or overdo it. From lab point of view reason not to overdo it because you will end up utilizing lot of time withing the lab period , doing more of something in security is always good i am not stopping you from doing that . LOL !
- Always have an open eye for minor edits required in the exploits that you match with the vulnerability that you think might exist on the machines.
- Do not worry about the reverts you get a lot of reverts and you can ask the admin to reset the counter for you.
- Do not think of using metasploit on a machine to exploit a vulnerability on more than one machine and try to find a public exploit. Offsec verifies your logs during your exam report review.
- Keep your commands and scripts if any handy and in place when your exam begins , I am a very unorganized when it comes to organizing scripts and commands, but i keep everything in one place so i don’t have to go hunting in case i remember that i had made notes for this.
- Always remember to take screenshots at every point in the exam , it is harmless if you take a lot of screenshots but have a few in use. However it is harmful if you are missing a screenshot it will directly affect your score for lack of evidence.
- Always take the local.txt and the proof.txt along with ipconfig/ifconfig as a screenshot and feed the keys to the offsec portal you will receive during the exam.
- Make notes and re look at your screenshots once you compromise the machine .
- The report format is straight forward and simple, avoid wasting time questioning if what you are writing has to be perfect. The whole aim of the report is to ensure you know your stuff and are able to explain your thought process with screenshots of the steps that have been taken. (No need to show steps for a failed attack and because of the failed attack you thought of this and used this attack type of writings)
- If you are done with the exam and are still capable of pulling yourself i suggest working on the report right away . Yes you do get 24 hours post exam however as things are fresh in your head you will be able to do a pretty good write up and figure out any missing screenshots which can be taken asap.
- Post my exam i had not closed any windows of the Offsec VM i just saved the state because all the work done was there and there are Web pages cached and command windows opened. Incase any screenshots were missed i could just scroll through and take them.
I’ve had a fear of failure and i was pretty hesitant to give the exam thinking i was not ready and i delayed my exam date a lot. Eventually making a stand I booked myself a date and took the exam. Cleared it in the 1st attempt. I took my exam on 25th June 2017 starting at 2:30 , had an almost sleepless night with the adrenaline rush of the exam coming the next day. There was this impatient feeling to just start with the lab at 2:30pm. Offsec sent me the email of the questions 5 mins before the exam starts.
I quickly glanced through the questions and decided to get with Buffer Overflow as it was easy and did not take time. Buffer Overflow exercise was done within 1 hour with the POC ready. Used the developed exploit on the vulnerable target and got the shell. Second there was a 10 mark machine easy and a little tricky managed to do the same in a few hours. Third machine was cracked by 10 in the night. Then fourth half by 12, by this point i had pretty much cleared the exam and was sort of relaxed, decided to take a good nights rest slept from 12-8 then resumed working. After a lot of tries i failed to take system level access over the 4th machine so decided to move to 5th. I got the local on 4th and 5th machine however it was difficult to elevate the privileges. I stopped at 2 o clock and started working on the reports. Submitted the reports by EOD to offsec and took slept the hell out.
Note: I took a lot of breaks in between , every time i felt frustrated and went blank i would excuse myself for 10-15 mins and indulge in other activities walk , talk , interact , window gaze etc. LOL !
Make sure you eat light and enough it keeps your energy levels up and you don’t feel droopy during the exam.
There are a lot of references you can use for preparation and during your lab and exam here are a list of ones i was frequently on. You will be surprised what these website have for you to offer. Majority of my work was missing research was helped from here and there a lot of new things you can learn.
I would like to thank all my security friends who help me understand the places where i lacked in enumeration and push me in the right direction.
Special thanks to Marc Kisner, Jatan Rawal, Javed Khan for helping me understand my weaknesses in the lab network.
That’s all for now folks. Good luck with your preparations and good luck with your exam.