Some months ago, I took the Offensive Security Penetration Testing with Kali Linux (PWK) course and passed the exam for the OSCP certification. The whole experience was greatly rewarding and the PWK lab got me really hooked. I thought that it would be helpful to write a review on it for infosec professionals aspiring to tackle this challenging and demanding course.

Intro

I was registered for the 60-day period. I had hacked all 56 machines in about 40 days and passed the exam on my first attempt. This is the bright side of it. The dark, albeit necessary, side was that I had to dedicate a lot of time, energy and effort to accomplish this. The exam can be extremely challenging, especially because it is very easy to get stuck and this leads to frustration and anger. That leads to suffering and potentially giving up. Welcome to the dark side.

It is an exercise of grit and will above all else.

Yes, you have to know your shit tech-wise but in the end it comes down to due diligence and having a structured methodology - which is exactly what 90% of penetration testing really is (and I dare say science in general as well). And don’t get me wrong - the other 10% is extremely important too - thinking out of the box and figuring out creative solutions to hack your targets is the manifestation of hacking in its original meaning. This also alludes to the Thomas Edison quote about the fact that Genius is one percent inspiration, ninety-nine percent perspiration.” Indeed, adhering to a rigorous methodology of tests that should be conducted and documented is what will make the most impact. I am fairly certain anyone who has served in the military would agree with me on this. Don’t forget that it is often the simple, low-hanging fruit, overlooked because they are considered too trivial, that can make the difference between a dead-end and a full system compromise. However, creating maintaining and efficiently executing that master checklist of tests is the hard part that comes with experience, keeping up-to-date with new techniques and industry research, as well as automating anything that should be automated.

Before I digress any further, let’s go back to discussing the PWK course.

Motivations

OSCP is one of the most respected certifications in the information security industry and rightly so: both the course and the exam are stirctly hands-on. No multiple-choice questions - this is the real deal: hack your targets in a virtual lab network and then do the same in an intensive 24-hour exam to prove you have learnt the fundamental techniques of a penetration tester. This by itself should be more than enough motivation for any infosec professional - even if you have years of experience in the field it can still be fun and you can always learn new things along the process.

What also personally motivated me during the course was that some fellow infosec engineers and me were keeping score of all the boxes each of us had rooted, so subconsciously it acted like a competition. Getting the next root flag (which means full compromise of a box) kept the dopamine and adrenaline high every time. In the end, I was entitled to the unimportant bragging right of compromising all hosts and doing so earlier than everyone else.

Course

The course comprises of:

  • VPN connection to the lab network
  • a well-written book of about 400 pages worth of studying material
  • a series of videos supplementing the book
  • forum accessible to PWK students
  • irc channel

The great thing about the lab is that the hosts are simulating a real network, which means that unlike mostly isolated hosts and challenges from sites like vulnhub.com, there are a lot of interdependencies. After gaining access to a system, you will often find clues that help you hack other machines - this is why post-exploitation and digging in compromised hosts is important. You will often fall in the mental trap of wanting to own everything in the network and rushing to break into host after host using whatever means and tools necessary but you should never forget that the lab is there for your learning experience, not just for bragging rights.

While you should never be asking for a solution on how to compromise a machine, it can be quite beneficial to bounce off ideas with fellow students on the exploitability of the multiple attack vectors that many of the lab systems offer. I personally never used the irc channel and only read a couple forum posts. They can both be great assets to your learning journey in general but I would advise to be careful while using them to avoid accidentally reading any spoiler hints - unless you are really stuck and are in need of some fresh ideas to get you going in the right direction. There is often more than one way to hack the machines, some easier than others. Speaking of easier ways, keep in mind that in the exam you are only allowed to leverage the metasploit framework only against one machine of your choice and thus it is wise to learn not to abuse and rely on it too much during the lab training because that dependency will potentially come back and bite you at the exam. Even if you manage to crack a lab machine using a metasploit exploit, try to then create a custom version of the exploit, port it to another language of your choice and play around with other attack vectors as well. You are also not allowed to use any automatic exploitation tools (such as Sqlmap) so you have to learn how to do most things manually. See https://support.offensive-security.com/#!oscp-exam-guide.md for more information on the exam restrictions. Notice how the ban is on automatic exploitation rather than enumeration tools - with that said, leveraging the automation that various enumeration scripts give you is a must and ideally you will code your own programs for that. A notable example is the linux privilege escalation checker by Mike Czumak at https://www.securitysift.com/download/linuxprivchecker.py

You can find a collection of useful notes on penetration testing techniques here: https://sock-raw.org/wiki/ - It also contains references to a multitude of other sources I consulted during the course.

OSCP exam What my room looked like throughout the OSCP exam or what time warping looks like while hacking - (illustration by Klajdi Cano)

Exam

I scheduled the exam for Saturday noon. I am generally a night owl so I wanted to make sure I get a good night’s sleep the day before and not have to worry about getting up too early for the exam as this can cause unecessary stress and can impact recovery after a full work-week. Weekends work best since you will need the 24 hours for the exam and then another day to write an extensive report on how you have accomplished everything.

You will need 70 points to pass the exam for a maximum of 100 points. Each machine is worth different points depending on how hard it is to get and the level of access you get - generally a low-privileged shell will give you less points than a SYSTEM/root shell. The lab report, at the time of writing this, can only provide you with an additional 5 points after being changed from 10 points previously. You can read all these details on the offical exam guide: https://support.offensive-security.com/#!oscp-exam-guide.md

The previous day I had set up the alarm for 10:30 am but I expected my internal bioclock to wake me up earlier than that. I wanted to make sure 10:30 would be the latest. I generally plan for an average of 8 hours sleep but also try to leave some time for a morning work-out session and some caffeine injection. As predicted I woke up at around 10, and had ample time to do an interval training session at home to get the blood pumping and increase oxygen flow to the brain. At exactly 12:00, I received the email with the VPN connection information for the exam lab. All was set and the challenge began.

I took down the first machine in the first hour or so - I had seen one of the vulnerabilities in a penetration test before so that helped speed up the process. That was a huge confidence boost. Starting strong.

I then moved on the next system where I got a low-privileged user shell relatively soon. Not bad. One cup (only) of coffee consumed so far. Little did I know that privilege escalation in that box would make me waste so much time, poking around dead-ends. After unsuccessfully spending about more than an hour trying a variety of things, I decided it was time to move on because I would need the energy to focus on the rest of the targets. I was not too worried though because as a night-owl I tend to naturally perform much better during the evening hours. That is something that you have to keep in mind when scheduling the time of your exam and how you manage your pace throughout the day depending on when you function most optimally. I was at 2 coffee cups now and decided to take a small break and eat some chocolate. Pacing and taking small breaks is highly recommended - you need to give your subconscious mind some time to work on potential solutions when you are stuck. It is very easy to get tunnel vision otherwise.

Since I was confident I could easily tackle one of the harder boxes (for reasons I cannot disclose here because it would be considered a spoiler), I turned my focus on the ‘easier’ (based on the points assigned) one first. Although I was almost certain I had identified the correct vulnerability, the relevant exploit would not work under any circumstances. I had made all the necessary modifications (shellcode etc.) but none of the attempts bore any fruits. I rebooted the VM quite a few times (almost once per attempt) in case something was wrong but still. I even used metasploit against it (which you are allowed to use only against one host) - that didn’t help either. This part was quite frustrating because in my mind this box wasn’t supposed to be that hard.

I then briefly attempted to hack the hardest machine but after spending some time on it, I realized that it would take much more focus than I was anticipating so I temporarily gave up on it. I decided it was time to increase my morale by attempting to take over the other system about which I was more certain as to the methodology required to subvert it. Surprisingly, and I say surpisingly because I wasn’t sure what to expect thereon, after so many confidence blows, it went pretty smoothly and after less than 90 minutes I had a working exploit and had collected all proof (screenshots of every step). I still didn’t have enough points to pass though.

It was midnight and needed more points, so I had to try harder on the remaining targets. I went back to the (supposedly) easier system. Then it came to me. I had to think out of the box - I did a modification to my exploit and got my shell. One more down. Now I was borderline - I could have accrued the required points to pass but only with a very specific assumption about the worth of the low-privileged shell from that previous system - this was no good. I had to make sure I was above the 70 points. It was after 1 am and I figured some sleep would make my brain produce some fresh ideas so I set my alarm clock for 2 hours later. Alas, with so much accumulated stress, I wasn’t able to really sleep - I was just visiting this hazy state of simultaneously being half-asleep/half-awake, the rejuvenating effects of which are diminutive at best. However, even this short rest gave my brain some time to prepare for the second-wind (or N-th wind for that matter). That was all I needed.

At that point, I felt I was the victim of my own thought-process because I came to the realization that I hadn’t tried some of the tests I should have done from the very beginning. Lesson learnt. Another reason why using checklists is so important. In a matter of minutes and a couple dozens lines of code later, I had my elevated shell and had fully compromised the host. I had collected more than enough points now. This was a certain pass and at about 4:30 am I heaved a huge sigh of relief. I could now start playing around with the last host, which I did for about an hour at which point my brain was screaming for some downtime. My adrenaline deposit was quite low as well because I knew that this host was optional. I now slept more normally until 9 am and had 3 hours left until the exam ended. This host was very time-consuming and I attempted a wide variety of techniques to break into it. After getting quite close to finding the right trick (according to what the tests so far had shown me), the vpn connection was dropped. It was almost noon and I knew I had to write a full-fledged penetration test report documenting all my findings and how I managed to hack each host step-by-step. This was the easy part but it still was a 61-page document that had to be written in a professional manner. The exhilaration of being sure I had passed (as well as artificially pumping my cortisol and adrenaline levels up with some caffeine) helped me push through the day and submit the report before 8 pm. Then I had some of the best night’s sleep for quite some time.

Overall, the exam was challenging and most of the machines often required extra research (a lot of googling included) to identify and then exploit the vulnerabilities. I cannot say anything more about it, but be prepared to do your due diligence and test your will, fortitude and creativity.

After two days I got the email notifying me I had passed.

OSCP mail

Conclusion

All in all, I highly recommend the course for anyone:

  • endeavoring to be competitive in the information security industry
  • wanting to hone their penetration testing skills
  • have fun with a challenging lab network
  • aspiring to strengthen their grit and spirit (seriously)

The course and the exam will test your knowledge, your creativity and your nerves. But if you manage to increase and improve all three, then you will have definitely advanced a step higher in the infosec world.

OSCP cert