After several months of studying, I was finally able to successfully achieve the OSCP certification after two attempts. This has been one of the certifications that I have desired after making the switch from a long career in Cisco UC/Networking to Cybersecurity. With that said, I wanted to share my experience to help inspire those wanting to achieve this certification as well as those who have been struggling to pass the exam.
I have been in the IT field for 24+ years and held positions as a PC Tech, System Admin, Security Admin, Network Admin/Architect/Consultant, UC (Unified Communications) Admin/ Architect/Consultant, and Management. I have or had an alphabet’s worth of certifications in that span; including CCIE in UC (#17963).
As I previously mentioned, I made the switch to Cybersecurity nearly two years ago as a Penetration Tester. Fortunately, or unfortunately, I have not had a mentor to show me the way and have had to rely on self-study and a very encouraging community for guidance.
Pre-PWK (The Journey):
While I was in the process of preparing to make the switch to Cybersecurity, I did my research about the different certifications within the field and which ones would get past HR as well as those that would be accepted by the community.
Once I had my list, I then reviewed each of the requirements to achieve the certification. In addition, I reviewed many posts of “Certification X vs Certification Y” to learn about the author’s experience with the certification; while paying close attention to those achieving the OSCP.
My first choices were to go after the C|EH and ECSA. I chose those since I had returned to college to achieve an AAS in CyberDefense and I could use them to test out of classes. I also decided to obtain an OSWP based on my previous network experience.
With those certifications achieved, I felt comfortable tackling the eJTP and eCPPT. In addition, I started working on a list of VulnHub labs that were like the OSCP systems.
The last step that I took was to obtain access to HackTheBox (HTB). I started working the “easier” free systems to help me get in the mindset for my future studies within the PWK lab.
When I purchased PWK, I chose the 90 day lab access that included one exam attempt. My strategy behind the purchase was to put in the study time and take the OSCP exam after 60 days of lab time. If I failed (which I did) I would have 30 days of lab time remaining to adjust my studies and attempt the exam again with purchasing a retake fee.
Note: OffSec posted a new Cooloff policy in 2020. So, this may affect your strategy moving forward.
I began my journey shortly after receiving the email from OffSec with the training manual, videos, and VPN access. My strategy was to complete the lab guide prior to going into the full lab and pwn1ng the systems.
Working the training manual, I was able to complete about 90% to 95% of the requirements within a two week period. Keep in mind, one’s mileage will vary depending on the familiarity with tool sets and the amount of time allotted per day.
A word of advice; don’t’ treat this as a race and try to be “first” to complete the training manual. Instead, take the time to learn and let the concepts sink into memory. If you purchased a 90-day lab package, you have plenty of time.
With regards to the lab, I would recommend starting with the system named Alpha and work along with the notes provided by g0tm1lk (found in the Official PWK forum). Doing so should help with one’s technique and provide an overall view of how many of the lab systems have been configured.
After Alpha, I started with the lowest IP Address and worked my way up. There were a few systems that required dependencies and those systems could not be compromised until the requirements were found. In addition, one may find a few other networks along the way.
In total, I managed to pwn 33 systems within 50 days of total lab time. However, I relied too heavily on the PWK Forums as a crutch. So, I reworked each of those systems searching for other attack vectors and relying less on the forums and my notes.
Exam Attempt #1 (~47.5 points):
My first attempt at the OSCP exam could have been considered an epic fail. I managed to pwn one of the two 25 point systems as well as gained a foothold (FH) on the second 25 point system and one of the 20 point systems. Had I been able to properly privilege escalate (PE) both of those systems, I would have had the points to pass.
I viewed my fail as a learning experience. It exposed a couple of my weaknesses and provided me the knowledge to correct them and of course, “Try Harder”. In addition, it provided me positive reinforcement that my methodology worked as well as my ability to quickly identify “rabbit holes”.
The two most critical mistakes that I made on this attempt were that I focused too long on a system prior to moving on and I did not utilize my Metasploit allotment wisely. My inability to break my focus snowballed and eventually put me into a panic situation. When I reached that situation, I grabbed the trump card (Metasploit) and tried to use it on the 10 point system versus using it to PE one of the two systems that I had a FH.
Within hours of knowing that I failed my first attempt, I decided to put the effort into documentation like I had the points to pass. I then submitted my Lab and Exam paperwork into OffSec knowing that I would receive a fail notification.
Going through the documentation process actually aided me to uncover the proper PE for both the 20 and 25 point systems on exam. In addition, it also provided clues on compromising the 10 point system and the second 20 point system.
Next, I purchased an Exam Retake and scheduled my next exam attempt within 45 days of failing. As I became more comfortable about retaking the exam, I moved my exam date to where it was about three weeks after my failed attempt.
Utilizing my documentation from my fail, I decided to try to recreate my exam attempt in my personal lab. Knowing that it would not be an exact replica, it did provide me the ability to practice my PE techniques based on the 20 and 25 point systems mentioned previously.
I then spent a considerable amount of time reading and reviewing HackTheBox write ups and ippsec videos. In addition, I continued to utilize my left over lab time practicing and trying to increase my speed.
Exam Attempt #2 (~80 points):
My second exam attempt was much different from my first attempt and it consisted of a new set of targets. I was able to fully compromise 3.5 of the 5 systems within 7 to 8 hours. As fatigue was starting to set in, I decided to start documenting my steps seeing that I had enough points to pass.
During my documentation process, I had discovered the proper PE path and was able gain an addition 10 points on the first 20 point system. So, I ended up with 4 out of 5 systems in less than 10 hours.
At this point, I spent another two hours adding details to the skeleton draft of my exam documentation. I then paused for several hours to get some sleep.
Upon returning from my extended break, I reviewed my core documentation and then obtained missing screen shots and commands. I then finalized my documentation so that it was ready to submit to OffSec for pass/fail.
With less than two hours left, I made a few additional attempts on the second 20 point system. I know I was on the correct path of obtaining a foothold, but ran out of time.
As soon as my time expired, I submitted my Lab and Exam reports and I received the report acknowledgement email within 3 hours to 4 hours. Within a 48 hour window of submitting my reports, I received the official email that I passed the OSCP from OffSec.
My strategy for successfully passing the OSCP was based on what others have already documented. Below were the strategies I used during my passing attempt:
· Exam start time at 12:00
· Scan systems that were not identified as the Buffer Overflow
· Compromise the identified Buffer Overflow system
· Take a break after partially or completely compromising a system
· If not having success of any kind on a system after 30 to 45 minutes, move on to another system
· Enumerate, enumerate, enumerate…
· Full documentation after 70 points
Reflecting back on my experience, I would have approached the OSCP a little differently. The following is a list of items from my lessons learned:
· Spend more time on HackTheBox with the OSCP Like systems prior to starting PWK (Zero to Hero technique)
· Use the PWK Forums to review how other’s compromised a system after compromising the same system
· Understand x86 and x64 shell functionality when utilized on x64 based systems
· In the exam, thoroughly document after each compromise while the process is “fresh”
Recommended Tools and Scripts:
During my time in the lab and exam, I used and tested numerous tools and scripts that were not included within the base PWK Kali image. I found the following to be the most useful to me:
AutoRecon (Tib3rius): an enumeration tool that automates several task during information gathering/enumeration
CherryTree Template (411Hall): imported template into CherryTree to organize notes for the Lab and Exam
JAWS (411Hall): a Windows PowerShell script used during post exploitation
linux-smart-enumeration (Diego Blanco): a Linux script used during post exploitation
OSCP Exam Template (whoisflynn): I utilized this template, with minor adjustments, for both my Lab and Exam reports
Reverse Shell (nishang): a Windows Powershell reverse shell script
Reverse Shell (Etienne Stalmans): a Windows Powershell reverse shell script
rsg (Matheus Bernardes): a reverse shell generation tool; easy to copy and paste
wwwolf-php-webshell (WhiteWinterWolf): a stable PhP web shell to aid in gaining a foothold
I used the following resources for assistance, command reference and exploits, as well as reviewing recommended OSCP like systems:
DiscordChannel: unofficial Discord Channel with multiple discussion topics
guif.re (Guifre Ruiz): an excellent repository of command references
swisskyrepo (Swissky): another great repository of command references and exploits
Vulnhub List (abatchy): a list of OSCP like Vulnhub images
HTB List (TJnull): a list of OSCP like HTB (HackTheBox) systems
ippsec OSCP Play List (TJnull): ippsec walkthrough videos based on HTB OSCP like systems
Finally, I wanted to provide writeups from my past certification experiences as well as pwn3d HTB and VulnHub writeups on my Medium page.
Lastly, good luck and “Try Harder”.