Thursday, October 6, 2016

My OSCP Story

Good evening,

I'm going to deviate from my normal professional development and technical discussions to talk about an accomplishment I'm rather proud of, I passed the OSCP test! For those of you who don't know what OSCP is, check out the website here:

First I want to say that this blog is completely my own opinion and does not accurately reflect the views of any past, present, or future employees nor does it represent the views of the Offensive-Security team.

I started the course, Penetrating Testing with Kali Linux (or PWK), at the end of July with 60 days access to the lab. I think, given my background, this was sufficient time but, the amount of time you should purchase DEFINITELY depends on your background. Do not let the price tag fool you, the extra time you spend studying and learning will definitely help you pass the exam. The lab is full of machines with many different configurations, operating systems, and vulnerabilities that you, as the student, need to figure out how to exploit. Some exploits will land you on a root shell immediately and some will only land you with a low-privilege shell. If you have a low privilege shell then you need to escalate your privileges to root or Administrator (Linux vs Windows).

There are something like 50 virtual machines in this practice lab and the learning opportunities are figuratively unlimited; there is typically more than one way to exploit most systems. Rumor has it that if you are able to exploit every box in the public network (there are other hidden networks) except for Pain, Sufference, and Humble then you're good to go for the exam BUT there is no proof to this and the amount of learning required to pass the exam is different for everyone.

The exam consists of 5 boxes of varying points values and students need 70/100 points to pass the exam. So now I'll give my experience with the labs and exam.

My PERSONAL experience with the labs was awesome. I loved exploiting every single box and with every successful exploit I felt like I understood the process, exploits, and methodology just slightly better. I think I ended up exploiting around 30-35 of the available boxes (life got in the way of the rest of them) but, the most important thing for me was to understand the methodology. I really started to understand how Remote File Inclusion/Local File Inclusion (RFI/LFI) exploits were used, I really understood what to look for with privilege escalations. I became more familiar with metasploit. I was able to understand and modify exploits for my own use when necessary. These and other skills are explained in the course material but, its up to you to take those examples, do them, understand them, experiment with them, and master them to be used during the lab and on the exam. I can't believe it took this long to mention it but, you will learn to "Try Harder" in this course. One common misconception, in my opinion, is that the course material is everything you need to pass the exam. This is both true and not true. It is true that you have every tool you need to exploit any machine. It is not true that you know how to use each and every tool exactly as necessary to exploit any machine. When you are frustrated, angry, and all the admins will say is "Try Harder", take it to heart and try harder. You will be so glad you did.

Now, for my exam story. I thought I had scheduled my exam for Friday Sept 30th at 5am. When I woke up to take the exam, I never got the email so I contacted support. They had no record of my registration and even though I was frustrated, I scheduled my ACTUAL exam for October 3rd at noon. I spent the weekend playing around with virtual machines from VulnHub just to whet my appetite for the OSCP exam. Monday comes around and I get up, get ready, and at noon I get the exam email with my connection details. I spun up my PWK virtual machine and it would not connect to the internet. WHAT. I tried to configure the virtual machine adapters and it wasn't working. So, after 15 minutes, I got my laptop, which was conveniently also running Kali Linux, and I was able to connect to the exam network and start my exam. I looked at the point values for the machines and started with the lowest valued machine to get in the swing of things. I was able to exploit the first machine in about an hour. BOOM 1/5. I then moved onto the next machine and after about three hours I got the second machine completely. BOOM 2/5. I worked on the third box and after another three hours or so, I got the next box. BOOM 3/5. I was feeling really good but I didn't want to get cocky or disheartened; I wanted to maintain a level, calm, focused attitude. So, at this point, it's about 7-8pm and I continued on the fourth and fifth machines and by 2am, I had a low privilege shell on the fourth machine. I slept from 2am to 6am and got up, took a swig of mountain dew, and brewed some coffee and got back to work. Well, little did I know, my laptop had updated and crashed and would not boot into the graphical UI. So I switched back to my desktop and spun up a new Kali virtual machine and was able to continue the exam. I had a low privilege shell on the fourth machine and I could not figure out how to escalate. I searched and searched until I finally was going through the output of a tool and saw something I had missed before. It basically said, in a very inconspicuous way, "you might want to check this out?" Well THANK YOU output. Way to not draw attention to something I'm looking for. Anyways, I was able to use this to finally escalate my privileges on the fourth box and get proof.txt. Thus, I had four out of five boxes completely compromised with one hour left in the exam. I tinkered with the last box and found a vulnerability but could not even get a low privilege shell. 4/5. Not bad at all. According to the scores I believed I had passed but ultimately Offsec had the final say. I contacted the admins and told them of my technical difficulties and they were willing to work with me but, I was able to get the screenshots and data off my laptop using recovery mode and then I wrote up the report.

Well, today I got the email! "We are happy to inform you..." I had successfully completed the exam and I am officially OSCP certified. I laughed and cheered and told my family and friends that I had passed that 'super hard, 24-hour, hacker exam'. The best part about this exam was the hard work. This exam meant so much to me because of how much effort I put into this course and exam. I spent over 100 hours learning and practicing this material. I don't regret one single minute of it and I can't wait to start the Cracking The Perimeter course and get the OSCE next.

No comments:

Post a Comment