here’s my take on writing a review for the recently finished “Offensive Security Certified Professional (OSCP)” certification.
This thing really was special and it took me a while to realise how awesome this course it. So I’ll start with a little time travel, back into 2013.
A little bit of history
In April 2013 (4 years ago!!) I took the decision to enroll into the “Penetration Testing with BackTrack (PWB)” course. You probably don’t know me but I am into “hacking” really my entire life. Writing Basic code on Commodore C-64, hacking, reverse engineering and low level memory stuff on Amiga (500->2000) and then later having loads of fun with IDA Pro on IBM PC / Windows. So, I always loved to “understand” stuff, to reverse it, to get to its bones, understanding the authors intentions and thoughts while he created that piece of software. And then break it. Find a way around security measures. Tease your brain. Awesome stuff.
I knew quite a bit about networking, Linux etc but never had been a real expert in that. Of course I had servers running, hosting self developed software, but that never really had been “os level”. And let’s not talk about Windows server technology… Always been more of a coder than a network guy.
So I enrolled into the course, got my lab access and documentation … and never started working on it. Scanned over a few chapters but just wasn’t “on fire”. I somehow didn’t feel attracted to the idea to “test out every exploit out there until I find the matching one”. I thought it was stupid because it seemed to be random, trial&error, to break into a server/network. Boy was I wrong at that time.
So my lab time ended, I extended it for another 30 days in 05/2013 and for another 60 days in 07/2013. I was busy with life, with my “real job” (Freelance IT consultant) and it felt lame to not progress in that course. My ego was too strong to just let it go. But eventually, I stopped caring and the lab access ended in 09/2013.
During the next two years, the focus of my “real job” changed. I did way more low level Linux work. Server administration, automating things, more “console hacking”, more “os level” and I actually started to enjoy this “other side of IT”. After years of coding software, it was nice to see that you can also “code” infrastructure (today it’s a part of that DevOps idea). Did a lot of bash scripting, wrote loads of tools in Ruby. I was on fire, again.
In early 2015, Offsec changed the course from PWB (Pentration Testing With Backtrack) to PWK (Penetration Testing with Kali). Due to that transition, they offered existing/PWB students a discount for upgrading to the new course. Sounded interesting. So in 09/2015 i grabbed that opportunity and upgraded to PWK. Got the new course material and started reading….
… and this time, I was reading it all – and it sounded like fun – so I decided to give the lab a try. Bought me 30 days of lab time in 10/2016 and decided to get serious.
But real life got me again. Just too much other stuff on my plate. Private stuff that required my attention. So it took me until 12/2016 until I really started taking this stuff seriously.
So I took my time to understand Kali, went through all the PWK exercises, documented my findings in Keepnote, started to understand the concepts behind penetration testing. And man – I LOVED it. And it even included a bit of assembly code hacking – which really is my passion. So awesome – writing your own exploit based on reverse engineering linux/windows software. Really great.
Finished all the exercises and then went on a pwning-spree. Started to hack the lab servers and … completely went “on fire”. I became addicted. Once the first servers fell, you start to feel like a drug addict – constantly on the hunt for the next “kick”. Spent all my time – mornings, evenings, nights, in breaks at work, to think about how to hack the next server. Digging through Google search results, unterstanding concepts, digging deep into Linux and Windows internals, testing out stuff in the lab, reading blogs and research papers. A great challenge. I was totally in love. Totally “in the tunnel”.
Owning the lab
Spent January and February 2017 in the labs. I really wanted to own all of the 50 servers. And I finally did. It really is hard to describe, but the feeling, once you “crack” one of the more complex boxes (you know them, Sufferance, Humble, Pain etc), is crazy good.
After spending hours/days of 24/7 thinking about how to exploit a given scenario (i.e. a defined configuration of a linux/windows serve) and then, all of sudden, you just have “the” idea – “the” idea that solves the puzzle. It’s just genius and gives you a nice insight how your brain (and your ever present creativity) works. All these stories about “having your best ideas in the shower” or “take breaks if you wanna succeed” – they are all true. You always knew it’s like that – but this course really proves it to you. You spend 7 hours trying to break into a box and then, hours later, in a restaurant, you just have a new idea. It just pops up – and it’s the solution. That’s the beauty of human instinct, human creativity, human thinking. Yes, sounds philosophical but it really is major fun 🙂
So I hacked->tunneled my way into the admin network and finally owned the last of the boxes. Success. Now I felt confident that I knew enough for the exam.
The rest of the lab time I used to revisit all my exploits for each of the servers. Made sure, that I have made screenshots and took notes so that I could revisit them later in case I had to catch up regarding certain vulnerabilities / steps to ownage. And then – I signed up for the exam. Exciting.
Really wanted to do the exam on a Saturday – and the next free slot for Saturdays had been in two weeks. So that meant: 2 weeks of doing nothing, of anticipation, of being excited. So be it then. I used the time to finalize my lab report and to also included the documentation for the exercises (since that will give you extra points) in it. Also played around a bit with some vulnhub vm’s (see this link to read some of my walkthroughs). Tried to keep my brain in “hacking mode” until the exam was about to start. And that worked pretty well.
And then the day of the exam arrived. I planned it to be Saturday 10am to Sunday 9:45am and then having all Sunday for finishing the exam PDF report. I was all prepared and excited AF. Really wanted to crack this certification because I think it’s awesome and one of the rare certs where you actually have to do something (instead of just memorise correct answers – which I always hated and always refused to do).
After having a quick breakfast, the email with the exam VPN access and instructions arrived.
Let the games begin!
As you probably know, you get assigned 5 servers with different tasks you have to finish. Each server has different points attached and you have to reach 70% of the points in order to pass.
I decided to go for the “get the minimum amount of points” approach. Nailing the 70% asap to calm things down a bit. So i went for the two “bigger” servers (the two with the highest points) first.
Getting a low priv shell on the first server was easy. I felt superior and thought: Wow, that’s easier than I thought it will be. Two hours later I got root on the box. And the only reason it took so long was because I wanted to have good screenshots for the report (and I usually work quite fast and messy hence I had to re-do some steps to produce clean screenshots :-)). So what, 4 hours in – one box down.
Next box was a bit special – the task attached to it was something I love doing. So I went for it since I felt, i knew how to tackle it. And yes, 2,5h later – I got root on that 2nd box.
So, 7 hours in the exam. Two boxes down. Not bad but not great either. I guess I was just a bit too nervous (and I also tend to overcomplicate things A LOT).
But then things started to suck. I started enumerating the next box (let’s call it MOO) and … nothing. No damn clue what’s going on. I really looked at everything but couldn’t find an attack vector. This really drove me mad. The evening was approaching and we had an appointment with friends for dinner at 7pm . My brain was glowing and I just couldn’t stop thinking and evaluating every possible logical condition to look for attack vectors.
Since I got stuck with that server, I switched to server #4 and gave it a try – but it wasn’t a quick win either. So I danced around these two machines without success. Finally went off for dinner. And that sucked too. Gf and friends were having fun and all I could think of was “how to own that damn machine”. Had I already been defeated? Owning two servers wasn’t enough for passing the exam. Even with the added points for lab report / exercises. So I had to get at least another one. And I won’t give up.
At around 10pm, I took a cab back home. Friends wished me luck and off I was. Bought some Red Bull and sweets (sugar!) on my way home to help me getting through the night (since I had a feeling that I might need the time). Really was anticipating the next hours of “battle”.
Decided to stop working on that damn MOO server and hopped on to the other one I briefly worked on before. This box was a Windows machine and as we all know – owning them usually is a bit more complicated compared to Linux machines (at least for me). But after a LOT of enumeration, at 2:30am, I finally found a low privilege way into the box and, at around 4 o’clock in the morning, after even more enumeration, I managed to get SYSTEM on that server too.
SUCCESS. That’d be JUST enough points to pass.
But I wanted to be 100% sure to pass (and honestly, I also couldn’t stand the feeling that these two other boxes defeated me). So I continued working. 6 hours left until the exam lab would close its gates. Popping the next Red Bull, I checked out server #5.
Argh, another Windows box. But this one was very “logical”. You just had to collect all facts, put them together in the correct order and it became evident what vulnerability had be exploited here.
Took me a while to get this done although I knew what vulnerability was “right”. Super tired already and the brain started to make errors. But I finally found the missing piece and owned the machine. At around 7am on Sunday, I had administrative rights on that server, which meant, I should definitely have enough points now to pass the exam. 4 out of 5 boxes rooted.
Big joy. Big fun. Big satisfaction.
After that, I didn’t even bother to approach my arch enemy MOO again. Just wanted to relax and enjoy the success. Felt like having fought (and won!) a battle. I was confident that I would pass the exam and get my certification!
Sunday a.k.a. “Report Day”
Sunday I was just tired. Went to bed at around 10am and slept until 2pm or so. Not enough but yeah, I had to finish the exam report. So I started pasting in all the Keepnote data into the Offsec report template. Due to my experience with writing the lab report, it was quite straightforward to finish the exam report. But being a perfectionist, it took time – really wanted to make it look professional. I guess it’s just my work ethics – always trying to deliver top notch quality 🙂
Finished the report package (exam, lab, exercise) at around 7pm that evening. Sent it out to Offsec with a big grin. I somehow knew I got this.
Got a confirmation mail from Offsec later that evening. They received my mail and would tell me about my exam results within the next 3 business days. Now all that’s left was waiting for that bloody email.
Monday evening, I was just sitting at my workstation at home, doing some stuff, and at 11:47pm I received the email from Offensive Security. “We’re happy to inform you…” – So yes, I passed the exam! Awesome. That thing that kept me busy for so long. That thing, I tried to approach many times, without initially realising how awesome it was. That thing, that I could have gotten 4 years earlier. That thing… gotcha.
My personal learnings / Bottom line
- I totally enjoyed this. 100%.
- It may sound weird, but this course isn’t difficult per se – there’s no rocket science technology involved. The difficulty is to find a working attack/exploitation vector (and there are loads of possibilities out there) and to be creative. And Offsec did a hell of a job to build scenarios that are difficult/tricky to exploit.
- If you love Linux (or better: working in a terminal) then this course will rock your world. Loads of “typing” involved 🙂
- The exam is TOUGH. It takes time to find working attack angles and doing that in a 24h limited time frame causes a lot of pressure you have to handle (on top of the fatigue that will get you too eventually)
- But once completed, OSCP feels a bit like a membership. There’s a community of people out there that passed this exam and each one of them went through the same pain and suffering as you did. We respect each other and it’s easy to make contacts with other OSCP guys. Good stuff.
- I am bit sad that it took me so long to finish (or better: start) the course. But life’s a bitch and sometimes things just don’t work out as planned. The key to success is: Never give up (or: try harder, as Offsec would say).
So, bottom line: A super awesome experience. Best course I ever did. Recommended to anyone interested in the field of “hacking” or “penetration testing”.
If you have any question regarding OSCP, PWK or anything around that – let me know. I’d be glad to help out and will do my best to support you guys (of course without giving out spoilers :-)).