TL;DR – I passed the OSCP exam and had lots of fun doing it.
The Offensive Security Certified Professional (OSCP) certification is well known in the security industry as a really tough certification, unlike many certifications that rely on memorization and rote learning, the OSCP is awarded after a hands-on exam that forces the exam taker to demonstrate his knowledge through action.
I will try here to give a brief overview of the path I took towards this certification and share some of my thoughts about it.
My first steps in the hacking scene were taken back around 1997 when I was making my first steps in the wonderful world of the internet. I was 13 and my parents decided to get me an internet connection for my Bar-Mitzvah, a couple of months later I stumbled upon the once famous hackersclub website and IRC channel and that was beginning of my love affair with the wonderful world of information security (though I didn’t even know that was the name then).
Spending most of the 2000s in the army put a temporary pause on my dabbling in the grey side of hacking, but ever since I learned of Kali Linux in the mid-2000s and learning of the OSCP certification I knew I’ll one day have to do it.
So after working for 4 years in the IT and IT security industry, by late 2014 I felt ready to get on my way towards the OSCP.
Penetration Testing with Kali Linux (PWK) is the basic course offered by Offensive Security and is a pre-requisite for taking the OSCP exam. The course consists of video lectures, study guide and a very large lab environment that is initially available for 30, 60, and 90 days of lab time that can be extended further. I decided that I will sign up for the 30-days of lab time and extend as necessary.
A few weeks later, in mid-January 2015 I received an e-mail from Offensive Security with download links for the course lab guide, videos and a Kali Linux imaged designed for use with the course and began my course.
The academic part
The “academic” part of the course (as I like to call the exercises in the study guide) is quite comprehensive, taking the student from the very beginning of recon through enumeration, exploitation and post-exploitation. The study guide is well written but leaves a lot for the student to find out by himself. For me, with my background in penetration testing, the study guide was more of a way to formalize my knowledge rather than adding much to it. I did not go too deeply into the exercises, but for someone without much experience it would be an invaluable resource. I’m somewhat split on the “extra miles” demanded of students could have better pointers and guiding for newbies.
All in all, I pretty much skimmed the exercise and went on to the real highlight of the course: THE LAB!!! Where there is gloom, and doom while things go boom!
The OSCP lab is the crown jewel of the course, it’s composed of a single large network representing a corporate LAN and a number of smaller networks representing restricted VLANs that you’ll find in a large corporation, forcing the student to pivot between networks.
The first steps in the lab were easier than I thought and feared and I managed to compromise a number of machines and gain SYSTEM/root priveleges withing the first 2 days. However the job got progressively harder as the low hanging fruits were picked. I learned the hard way that this lab is all about enumeration, something that I now impart whenever I mentor a junior team member.
The lab exposes the student to a wide range of systems, there are many flavors of windows, linux and unix machines, some are patched, some aren’t. There are a whole range of software versions, with systems from the mid-2000s to the latest and greatest systems out there. I wish there was some mobile OS as well or even a Mac, but I realize it’s not as easy to set up. Hopefully in the future Offsec will add some (maybe start with an android BYOD scenario?).
More than the range of systems in the lab, what excited me the most was the range of attacks the lab required. They ranged from simple bruteforce directory guessing (dirb anyone?), through your regular metasploit exploits and up to client-side attacks via numerous channels. It was unlike any CTF or challenge I’ve done before.
All that being said, I felt the lab was a little bit dated. A certain windows exploit was way too important, and while I still encounter it on engagements, it’s not nearly as prolific as it was once. On the other hand, the lab is not intended to expose the student to the latest exploits but rather to teach him to enumerate, to use the tools of the trade and to be creative, all these tasks the lab does very well.
The sense of accomplishment that you feel when you compromise one of the harder hosts, unlock a new network or take down another host after days of trying, is ecstatic. This is the same excitement that I still feel whenever I access the client’s DC or other crown jewels on an engagement. This excitement is what keeps us penetration testers going and it’s totally there during the course.
The lab also teaches the importance of post exploitation, of looking for interesting information of the hosts themselves, as not all hosts can be compromised directly.
Documentation is extremely important during this stage. The lab report is part of the report you submit to Offsec after your exam and if you lack points to pass the OSCP exam, it may be the difference between passing and failing. I got too excited on some machines and did not write up or take a screenshot and so ended up with a report detailing less compromised hosts that I actually compromised.
I also suggest you work on the lab report well in advance of your exam as it will be quite large and you really don’t want to type 150-200 pages in 24 hours. I used Keepnote for documentation, but given the chance would switch to Dradis if I had to re-do the lab. However, use what you like best and what suits your taste.
It is also a good idea to back-up these notes, I kept my work on Dropbox.
After about 2 months of work I was done with most hosts. I then kept extending the lab a number of times to practice and re-visit some hosts and keep the exam date open. In August I finally decide to schedule the exam and got down to writing the lab report.
Knowing a large vacation as due for the holidays after Yom Kippur, I scheduled the exam to the day after and waited for the exam email to arrive. Y
The email arrived right at 1400 hours, containing the OpenVPN script for the exam lab and the exam guide PDF. I had 23 hours and 45 minutes to finish the exam and a further 24 hours to submit my report. You are not allowed to use Metasploit except on a single host, or automatic vulnerability scanning or exploitation tools on this exam. You can use meterpreter whenever you want, but you’re limited to the commands you can issue in the shell.
The OSCP exam consists of a separate lab with hosts designated as your targets. Each host has a point value between 10 and 25 points. You score partial points for a partial compromise and need 70 points to pass the exam.
I started out by enumerating the sh*t out of my targets taking the better part of an hour, and then started working on the harder hosts first. In hind sight. 4 hours in, I had a full compromise of a 20 point machine and a further 3 partial compromises. Within 5 hours I already had 2 full compromises and took a break. I can’t stress enough how important taking breaks and eating normally are during the exam. Your brain can’t work all that well when you’re tired or hungry, so whenever you compromise a host on the exam, take a 15 minute break. Go outside, breath some air, call someone, brag on twitter, do something that takes your mind off the exam for a while. I ended up playing a game of World of Warships whenever I made progress and compromised a host.
With the low hanging fruits in my hand, I kept on going and the 3rd compromise was in only 5 hours later, at 10 hours into the exam, with 65 points in hand and 13 hours to go, I knew I’m going to pass this exam. The fourth host was done about 2 hours later and I had 90 points in hand. Then, the 10 points host showed me how exhausting the exam is. It was the easiest host on the exam and kept me chasing my tail for hours as I struggled to find a way to compromise it. Eventually I caught the telltale sign of the vulnerability and used the single instance of Metasploit use on the exam to compromise this host and gain a root shell.
18 hours, 5 red-bull cans and 2 bottles of Soda in, I had 5/5 hosts fully compromised and 100 points in hand. I went to sleep exhausted but satisfied well after the sun rose up.
The next day I worked on my report, added the 50 pages of exam report and sent in the report early Saturday morning Israel time.
Around noon on Monday I received the email notifying me that I have passed the exam.
The OSCP exam and the course itself were simply amazing. They were hard, they made me question my abilities and then made me feel ecstatic whenever I overcame a new hurdle.
To be honest, this is NOT an entry level course. If you don’t know what Linux is, never used SSH or don’t know how to start a windows server on the CLI, then you’re probably not yet ready. But if you are a sysadmin, an information security professional or a developer looking for a stepping stone into the field of penetration testing, then this course will make you appreciate every penny you spend on it.
I finally feel I have a certification that I really had to work for, that’s worth a lot more than a simple 4 letter word. It proves that I have accomplished something much harder than just cramming a bunch of stuff in my head and spewing it out on the exam.
So, where to now? I’ll probably focus on obtaining a CISSP and I’m about to begin studying for a Masters’ degree in Computer Science. I will definitely do the next Offensive Security course (OSCE) soon.
So if you have any questions about the exam, drop me a line and I’ll be happy to help. If you want to do the OSCP – YOU SHOULD!