OSCP Review

In this post I will outline my experience with Offensive Security’s PWK (Penetration Testing with Kali Linux) course and the accompanying OSCP (Offensive Security Certified Professional) exam.

MY BACKGROUND AND PREPARATION

Before enrolling in the PWK course I was working IT helpdesk (answering phones, making tickets, etc …). I had earned my CompTIA A+ and Network+ Certifications in 2019 and was looking to earn my Security+ to complete the trifecta. While researching Security+ in January 2020, I discovered the fabled OSCP exam on some reddit threads. OSCP sounded way more interesting than Security+ - so I decided to give it a shot. I downloaded the official Kali Image, signed up for HackTheBox, and started binging Ippsec videos on youtube. I went through about 20 Ippsec videos prior to signing up for PWK.

Offensive Security lists the following as course prerequisites: solid understanding of TCP/IP networking, reasonable Windows and Linux administration experience, familiarity of Bash, and scripting with basic Python or Perl. I did not have any linux experience prior to my first Kali install. I also did not have any bash/scripting experience. This definitely put me at a disadvantage during the course because I was continuously researching bash/python syntax while running exploits. If you are not on a time crunch, I would recommend taking a short python course and reading the linux man pages.

PWK LABS

I signed up for PWK in February and started the course mid-march with 90 days of lab access. It took me about 60 days to get through the monstrous 850+ page PDF. At the end of the 90 days I had root/admin on 25 machines with a user shell on an additional 6.

The PWK course material was phenomenal. I found a lot of value in watching the videos first while reading the corresponding section in the PDF at the end of each video. The content in the videos and PDF is not always the same for each module. My biggest piece of advice is to take your time. Some people recommend blazing through the material in a week or two and spending the rest of your time in the labs. This may be a good approach if you have some penetration testing experience. If you’re new like me, I suggest going slowly through all of the videos and PDF to make sure that you fully understand the material before dedicating a lot of time to the labs.

THE EXAM

The OSCP exam is a scary, exciting, and tiresome marathon. You are given a 24 hour VPN connection to 5 machines with varying point values. The objective is to obtain user and root flags on each of the machines. You need 70 points to pass the exam. I attempted the exam on June 12th at 9:00 AM. I scored 35 points from 2 machines within the first couple of hours, but struggled to find the correct exploitation paths on the remaining servers over the next 10+ hours. I ultimately ended my exam with about 60 points - not enough to pass. The hardest part about the exam is the rabbit holes. The exam machines are designed to deceive. There were some exploitation paths that looked very promising to me, but only led to dead ends. The reason I failed was because I became hyper-focused on the dead ends rather than taking a step back to reevaluate my options.

With one exam attempt behind me, I immediately scheduled my next attempt for July 17th at 8:00 PM. I focused entirely on improving my enumeration in the month leading up to the second attempt. I completed an additional 35 retired HackTheBox machines and intensely studied Ippsec and 0xdf’s enumeration methodologies. The night of exam I made a big ole pot of coffee, connected to the vpn, greeted the proctors, and started hacking away. This time I was able to quickly identify the truly vulnerable services and applications on most of the machines. After 2 hours I once again had 35 points. Another 5 hours later and I was back to roughly 60 points. At this point I was sitting on two low privileged shells. All I had to do was escalate my privileges and claim my certification. I decided to sleep for a few hours and approach privesc with a fresh perspective. After arriving back to the terminal, I elevated both shells in under 2 hours. Knowing that I had enough points to pass, I relaxed and focused on writing clear and concise documentation paired with screenshots for each machine. When the VPN connection closed I had rooted 4 boxes. I took another short nap and completed my report.

After 3 days (which felt like an eternity) I received this glorious email:

THE FUTURE

Earning my OSCP designation was a bitter sweet moment. I feel validated knowing that I have the technical know-how to pass the exam, but I miss the grind of chasing the certification. I still feel like a complete noob.

I have recently started a desktop support role, but intend on continuing my infosec education. My goal for the remainder of 2020 is to learn more about web exploit development and earn my OSWE certification. I signed up to start Offensive Security’s AWAE course in October and hope to be ready for the OSWE exam by December.

RESOURCES

Feel free to reach out to me on Twitter if you have any questions :)

These are some of the resources that I referenced during my OSCP studies:

Name Type
Vulnhub Privesc Guide Guide
Pentest Monkey Reverse Shells Cheat Sheet
Total OSCP Guide Cheat Sheet
winPEAS/linPEAS Script
Do Stack Buffer Overflow Good Guide
Enumeration Guide Cheat Sheet
Full MSSQL Injection PWNage Guide
Linux Privilege Escalation w/ SUID Binaries Guide
Autorecon Script
Pivoting Cheat Sheet
GTFO Bins (Linux Binaries) Cheat Sheet
LOLBAS (Windows Binaries) Cheat Sheet
WFUZZ - Webapp Fuzzer Script
OSCP Command Filtering Tool Cheat Sheet
Nishang Reverse Shells Script
Unix Wildcard Exploitation Guide
Rana Khalil HTB (metasploit free) Writeups Guide
0xdf Writeups Guide
Ippsec Videos Guide
NetSecFocus/TJ_NULL OSCP-like boxes Cheat Sheet
SQLi Auth Bypass Cheat Sheet
OSCP Practice Exam Guide
Payload All The Things Cheat Sheet
Pentest.ws Cheat Sheet/Notetaking
TJ_NULL OSCP Joplin Reporting Template Notetaking/Reporting
Penetration Testing: Hands on Introduction Book
John Hammond CTF Guides
Linux Privilege Escalation Udemy Course
Windows Privilege Escalation Udemy Course
Fuzzy Security - Windows Privesc Guide/Cheat Sheet
g0tmi1k - Linux Privesc Guide/Cheat Sheet
Python Bootcamp Udemy Course
Kali Linux Revealed Book (Free PDF)
The Linux Command Line Book
Infosec Prep Discord Discord Server
PortSwigger Web Academy Guide
Linux Man Pages Cheat Sheet
Written on September 8, 2020