How I Passed the OSCP

Recently I had the opportunity to take the PWK course offered by Offensive Security. Given how helpful the community has been during my journey, I felt it was my duty to provide a helpful write-up for all those pursuing the OSCP.

The most useful questions I enjoyed reading were:

  • What experience did you have before you started the PWK?
  • What did you do to prepare?
  • What was your exam strategy?
  • What do you plan to do next?

What is the OSCP?

The OSCP stands for Offensive Security Certified Professional. The certification is offered by Offensive Security who provides the study materials and lab environment to prepare for the OSCP exam (PWK). The course primarily covers skills needed to begin penetration testing an environment or at least the mindset and methodology needed to be successful in information security. Check out the syllabus HERE for all the topics covered.

Who should go for the OSCP?

Everyone currently working in or wanting to get into security.

What experience did you have before you started the PWK?

Before signing up for the course I started using some free resources to get a feel for what I will need to learn. I started with HacktheBox and watching ippsec videos on youtube. In addition, I would play in any CTF competitions on the weekends using ctftime.org. At the time of starting the PWK, I had 6 years of information security experience and held a few foundational security certifications: CISSP, CySA+, AWS Security, etc. I do not feel the experience and certifications are necessary to start the PWK, but I feel it allowed me to move a bit quicker through the provided PDF training material so I could start my hands-on training.

What did you do to prepare?

Let’s set the stage for how much time I was able to dedicate to prepare for this certification. I currently work full time as a Security Engineer during the days, have a small toddler to care for after work, and had precisely two hours to dedicate to studying for the OSCP each day. With this in mind, I used up an entire seven months of preparation for the OSCP.

Primary setup:

  • Windows 10 Host
    • |—VirtualBox
      • |—Latest Kali release

Before purchasing the material from Offensive Security I started with purchasing a VIP subscription to Hack The Box. To start I did 8 of the “starting point” machines. Following those boxes, I did 22 more easy and intermediate retired and active boxes. Hack The Box was a great resource for learning initial enumeration skills, but far from the best I used during my practice. Most of the machines are fun, but not too realistic. HackTheBox machines spawn the phrase “CTFish”, which just means the machine most likely has “bread crumbs” that you wouldn’t see in a real environment.

Next, it was time to work on my buffer overflow skills. There is no better practical resource for OSCP buffer overflows than the TryHackMe OSCP Buffer Overflow room created by Tib3rius. This room contains 12 challenges, but the machine contains even more executables you can use to practice buffer overflows. See my write-up on the OSCP TryHackMe room here. Completed the 12 buffer overflows and felt I had a decent understanding of what to expect during the OSCP.

A few other resources I used before starting the PWK were 3 courses available on Udemy. The first course that focused on the overall topics of the OSCP was the “Practical Ethical Hacking – The Complete Course” by Heath Adams / TCM Security, Inc. Once I had a decent understanding of initial enumeration to obtain a foothold on a system, I started looking into methods of privilege escalation. The primary resource I used for learning the common privilege escalation methods was the “Linux and Windows Privilege Escalation for OSCP & Beyond!” by Tib3rius. I can not recommend these courses enough. This allowed me to quickly move to the precious PWK labs when I purchased the course.

I purchased 30 days of lab time in October 2020 knowing this would not be sufficient for my two hours of study/practice time per day. I planned to basically work through the PDF and not initially focus on the labs. Once I received the PDF I immediately got to work on reviewing the first few chapters to ensure I was comfortable with the topics. The studying slowed down a bit once I got to the exercises, and my growth began at this point.

The material provided by Offensive Security is solid, but it doesn’t hold your hand. The OSCP requires you to take the initiative and be curious…….and yes “Try Harder”. As I was initially working through the labs I felt overwhelmed and a bit lost with direction. This caused me to just go back to the PDF and keep working through the exercises. Before I knew it, 30 days were up and my lab time had expired. 0 boxes rooted. I spent the next couple of weeks finishing up the PDF.

At this time, Offensive Security released the Proving Grounds, and wow what a great resource. This was the top resource I used to prepare by far. I signed up for the practice subscription and got to work on most of the easy and intermediate boxes available. Ultimately I completed about 26 boxes from the Proving Grounds.

Finally, I purchased a 30-day Offensive Security lab extension to do the final preparations for the exam. During this time I completed 12 machines and felt I had built a solid methodology for enumerating, exploiting, and privilege escalation. I scheduled the exam.

Summary of completed boxes (Total = 80):

Common resources:

Top Enumeration resource:

Top Privilege escalation resource:

What was your exam strategy?

One week before the exam, I would alternate between doing buffer overflows one night and then doing a box from the Proving Grounds the next night. Two days before the exam I decided to zone out and play some games after work. I also used this time to snapshot and export my working Kali VM to ensure I would be ready for any technical issues during the exam.

My exam was scheduled for 8 am so I went through my morning routine, made some coffee, grabbed some snacks, and logged in to install the needed proctor software. Getting started on the exam, I started my initial nmap scanning on the other boxes while I focused on the buffer overflow machine first. The buffer overflow took me much longer than expected due to small mistakes I attribute to my initial nerves. Finally finished the machine after two hours. This gave me the confidence I needed to calm down and focus on my other machines. I took my first ten-minute break here.

Next, I started reviewing the scans of the boxes and chose to dig into one of the intermediate boxes. Found the initial foothold and the privilege escalation shortly after. Got this one four hours into the exam. Forty-five points down, now if I can just get the hard machine we will have enough points to pass. Decided to take a quick lunch and got back to work.

The last machine I completed was a tough one. I spent a few hours digging through tons of enumerated information looking for a way to gain access to the machine. After two hours I was able to obtain a user shell. Privilege escalation came one hour later. YES! We have the points required to pass with about 16 hours left. Took a thirty-minute break.

Before digging into the other machines I went back through my documentation for each box and ensured it was sufficient for the report. The next few hours I spent attempting some exploits I thought should be working, but were not giving me the results I expected. I was getting exhausted and needed some sleep.

Sleep did not come easy, but I got a few hours of in before getting back to the exam. I continued to dig deeper on the two remaining machines but decided to start focusing on the report. Only three hours were remaining before the VPN would be terminated, and I didn’t want to miss a critical screenshot. I used this time to review, again, all my notes, sources, and screenshots for any missing artifacts.

The VPN was terminated by Offensive Security and it was time to clean up and finalize the report. The report took about four additional hours to complete. I pulled up the exam upload instructions and followed all the procedures with care. Uploaded the report………

After three long days of checking my email an unhealthy amount of times per day, it came. The email stating I had completed the requirements and am now an OSCP!

Conclusion

The journey to becoming an OSCP has been tough, but it is by far the most rewarding certification I have completed to date. After 24 hours of testing in a high-stress situation, I highly respect anyone who carries these letters.

Overall, the OSCP has helped me to become a better defender for my organization in knowing and understanding the mindset of an attacker, and what moves are important to them. I feel all security employees should have this certification if they work on a blue, red, or purple team.

What now?

Well, first of all, I’m going to relax for a few weeks and enjoy spending time with the family and enjoy some hobbies. After the cooldown period, I plan to look further into the Offensive Security WEB-300 course. This is the advanced web attacks and exploitation course and just looks fun.

Feel free to reach out with any questions.

Until next time, stay safe in the Trenches of IT!

Completed Hack The Box Machines:

Easy

  • Lame
  • Legacy
  • Devel
  • Beep
  • Optimum
  • Arctic
  • Grandpa
  • Granny
  • Blunder
  • Blocky
  • Blue
  • Bashed
  • Jerry
  • Netmon
  • Postman
  • OpenAdmin
  • Sauna
  • Tabby

Intermediate

  • Popcorn
  • Bastard
  • Tenten
  • Resolute

Completed Offensive Security Proving Grounds Practice Machines:

Easy

  • Helpdesk
  • Wombo
  • Internal
  • Algernon
  • Metallus
  • Pebbles
  • Kevin
  • Bratarina
  • ClamAV

Intermediate

  • WebCal
  • XposedAPI
  • Nickel
  • AuthBy
  • Banzai
  • Walla
  • Zino
  • ZenPhoto
  • Medjed
  • Slort
  • PayDay
  • Shenzi
  • Pelican
  • Fail
  • Hutch
  • Jacko
  • Nukem
  • Nibbles
  • Postfish

Hard

Meathead