The Road to OSCP

I tried harder and achieved the OSCP certification. I have always wanted to *really* know how a pentester weaves their magic over a system, and the PWK course is the way to get that knowledge

The Road to OSCP

I've been a programmer since my early teens, but never having had the time to really delve into the deep inner workings of systems and operating systems in the course of my employment, I have never had more than the surface level knowledge of security that was required to keep my programs safe. I'd attended SANS courses to keep my knowledge current and follow the OWASP guidelines etc. but I have always had the itch to really know how a pentester weaves their magic over a system to make them do things they shouldn't. This desire wasn't just purely intellectual either; the more I know about how systems get broken means I can protect the company I work for better.

So many moons ago I made the decision that I was going to find a course or training program that would give me the knowledge I craved. This led to lots of research about the various courses available; CEH, CISSP, and so on, and so on. The more reading I did, the more disillusioned I became about a lot of them. They all seemed to be rather shallow in terms of what they actually taught. I wanted to actually know how to carry out an attack on a system by the end of the course, not just be able to select the correct answers from a multiple choice exam. Which pretty much made my choice clear. From a technical standpoint the most well respected course was the Penetration Testing with Kali Linux course with its accompanying certification, OSCP, from Offensive Security - the people who bring you Kali Linux.


Not only did the course seem perfect for what I wanted, the pricing is very reasonable. At the time of writing, you can get 90 days access to Offensive Security's Lab (which is a playground of networks, containing many different machine configurations, and operating systems, all for you to attack), along with a 350 page PDF lab guide, an accompanying 8 hour video series, and a certification attempt for $1,150. A bargain at twice the price. As I had a full time job to fit around the course (and a relationship to maintain with my wife), this was the option I opted for, but if you have more time to dedicate to the course there are 60 day and 30 day options too.

Once the decision was made, I cajoled my boss at work into paying for it, and submitted the company credit card details. Within a few minutes I had my start date for the lab time.

Offensive Security recommend that you have a base level of knowledge before attempting the course and OSCP. They state the following:

Penetration Testing with Kali Linux is a foundational security course, but still requires students to have certain knowledge prior to attending the online training class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus.

I would add the ability to read C to the above, as you will find yourself making slight modifications to exploits written in C quite often - alongside Python, Perl and Bash. Linux familiarity is definitely required. Given how much time you will spend in the labs on the command line, you need strong command-line fu as you do not want to waste time looking up simple commands.

Once your lab time starts, you are free to attack every system you can find within your allotted IP range. This is where I have learned a lot of people start to fall down. They expect a more guided course. They want to be hand held through taking down some systems. That is not how OSCP works. Their motto is Try Harder™, and it is well suited. During your lab time you will know frustration like you have never experienced before; but ultimately, when you do Try Harder™ and manage to avoid punching your fist through something when you are told the oft repeated advice, "enumerate, enumerate, enumerate", you will come out the other side feeling a real sense of accomplishment. You know that you figured out the vector needed to upload your exploit. You figured out how to get that reverse shell. You managed to find the privilege escalation to get root on that system. And believe me, when you finally see that connection come back to your box, you won't stop grinning, and you will be hooked!

The way I approached it was to first watch a section of the videos, taking notes as I went, then read the corresponding section of the lab guide and then filling in more detail in my notes if required.

Speaking of note-taking, I used the Offensive Security's recommended tool, KeepNote. It comes pre-installed on the Kali image they recommend you use during the duration of your course. It makes it very easy to take screenshots, and generally just jot down your thoughts and attempts as you work your way through the guide.

Once I had finished the video series and read the guide through, it was time to get my hands dirty. This is the real nitty gritty of the course where you start to apply all the tools and techniques the videos and guide teaches you (and where all the fun is). There are multiple networks for you to find, with a myriad of different systems. From simple point-and-shoot metasploit takedowns to puzzling CTF style enigmas. A lot of systems have multiple roots to being cracked, so you can always revisit them and look for new ways in.

Now, I mentioned just how frustrating it can be when you think you have looked at every possible angle and still can't find your way into a system, but that doesn't mean you are entirely on your own. There are official forums, where you can request some pointers - although any spoilers will be removed by the mods, and there is an IRC channel where you can chat with other OSCP students, and then there is the [official support website](Chat Live with an Offensive Security Admin) where you can speak with student admins who may be able to give you a nudge in the right direction. However, there are some boxes they won't help you with at all, and in a lot cases they will just tell you to enumerate more. That's where the will power not to put your fist through your monitor comes in ;)

I also found the following web resources invaluable:

Windows Privilege Escalation Fundamentals

Basic Linux Privilege Escalation

Reverse Shell Cheat Sheet

Creating Metasploit Payloads

If you persevere you will eventually have a breakthrough in understanding, and those boxes will start to fall, one by one. Every time a box does fall, make sure you have taken detailed notes of every stage. Somebody else should be able to follow your notes and repeat the exploit exactly as you have done. This is so you can write a lab report to submit as part of your exam. This extra lab report is worth 5 bonus points - which may just give you enough points to push you into a passing mark. You can also do all the exercises in the PDF lab guide and submit a report for those for a further 5 bonus points.

All too soon your lab time will come to an end. At which point it's time to book your exam. Now the exam is a gruelling 24 hour experience, and not to be taken lightly. Make sure you are well rested, and can book your 24 slot at a time period that makes sense for you. This may mean pushing back when you start it a week or two. I had to wait almost a month from the end of my lab time before I could get a weekday slot starting at midday local time.

The exam is a format similar to the labs. You will be given 5 IP addresses of systems for you to test. Each system has various point values, totalling 100 points. You need 70 to pass (don't forget you can get up to 10 bonus points by submitting a lab report and exercise report). To get full marks on a system, you must get root (or NT_AUTHORITY/SYSTEM), and have multiple screenshots detailing the exploit, and proof that you have a root shell. The full details of what you need to provide can be found here. Make sure you read it through before you start the exam. Then to make all this proof count, you have to submit a pentest report for the exam machines, just like if you were engaged by a company to pentest their systems. You have 24 hours from the end of your exam to submit all these extra reports.

And that's it. Then you just have to wait to hear from Offensive Security about your result. And I am very glad to say that I passed first time. I couldn't stop grinning for days.

If you don't manage to pass first time though, don't forget the motto, Try Harder™. You can book lab time extensions in blocks of between 15, and 90 days - and each extension includes a resit attempt. So learn from the exam where your weak areas of knowledge are, and then hit those labs again.

The will to not give up is one of the most important things this course teaches you.

Thanks for reading.

Dean - OSCP