OSCP Thoughts

Published on 2021-08-11 by molzy

Many people who have both a blog and the Offensive Security Certified Professional (OSCP) certification somehow feel compelled to write a blog post about their experience. I am not immune. My experience with the exam, and with the associated PWK study course, is detailed below.


Why The PWK Course?

A Long, Long Time Ago

I found out about the Pentesting with Kali Linux (PWK) course and associated OSCP certification a few years ago, back when the course was still using Backtrack Linux. The mystique surrounding the field of information security, and this course in particular, was quite strong.

At the time I did not feel ready to undertake the required study, and resolved to get around to it when I was prepared to put in the effort it would require.

Eventually, as I worked remotely during a pandemic, I launched into learning the prerequisites to the PWK course using the Hack The Box platform. This was partially to fulfil a longstanding desire to prove to myself that I am capable of this kind of work, and also to prepare for an additional, viable career path in the event of an economic downturn.

About The Course

The PWK course is well known as the most practical of the entry level information security courses, with a specific focus on network security of operating systems and applications. Offensive Security provide a large lab of vulnerable machines to remotely break into for training purposes. Most of the learning is self-directed, and some prior experience is very helpful for the course.

The associated OSCP certification is conditional on the successful completion of a well-respected 24-hour intensive exam process. During the exam, the vulnerability assessment skills and methodology practiced in the lab are put to the test. Professional report writing is also demonstrated by the completion of a penetration test report during the 24-hour period after the exam, based on the activities undertaken during the exam.


Lab Experience

Preparing For The Lab

Before starting my studies, I already had a number of useful technical skills in my toolkit:

I had read in multiple discussion forums that the PWK course lab machines are mostly similar to the Easy and Medium difficulty levels of vulnerable machines at Hack The Box. As such, I registered an account on Hack The Box, with the goal of becoming comfortable with breaking into machines such as these.

I started out feeling quite lost on this platform, and spent some time completing the initial tutorial machines while installing many new tools inside my Kali Linux virtual machine. Once I had completed these, I tried some of the challenges available on Hack The Box, read about some useful attack techniques, and eventually felt ready to tackle the vulnerable machines.

I broke into machines until I could comfortably complete Easy and Medium machines without feeling stuck - as well as some Hard and Insane machines.

I estimate that I spent roughly 800 hours on absorbing training content, building up my knowledge of the most common vulnerabilities, and learning how to make use of the tools that have been built to exploit those vulnerabilities.

After having spent this time, I felt confident that I had developed the necessary skills and experience, as well as having sufficiently prepared my toolset and methodology. I waited for a quiet period at work, and purchased the 90-day option of the PWK course.

Machines Everywhere

Since I was already used to the flow of breaking into intentionally vulnerable virtual machines, I felt confident that the lab environment would feel familiar. For good measure, I read through the interesting sections of the training PDF first. This occupied the first week of my 90 days.

I quickly acclimatised to the PWK lab. As I started on the lab machines, it became apparent that many of the exploits used are much less recent than any of the exploits I encountered on Hack The Box.

According to my activity logs, it took me roughly 200 hours to break into all of the 70 active lab machines available to me. There have been some additions to the lab since I completed it, so newcomers to the course will have even more fun than me!


Lab Thoughts

The labs take a foundational approach. This ensures that people like me - who missed out on breaking into computers during the reign of Windows XP - are able to learn some of the exploits and methodologies used in the past, and practice using them. The course builds up to more recent exploits, and overall the demonstrated vulnerabilities are varied and interesting.

The network pivoting segments of the PWK lab were especially helpful for me, compared to the free standalone vulnerable machines on Hack The Box. Learning to extend my reach through a compromised machine to the networks behind was engaging and enjoyable. I recommend finding a way into all three additional subnets in the lab - they each contained some of my favourite content from the course.

I made sure to take basic Markdown notes for each lab machine, including:

These notes were helpful during the exam, and I have looked back at them since then to recall what I was doing, and how I was doing it. As Offensive Security stresses, the most important thing to learn and remember is a functional methodology for enumerating, exploiting, and pivoting through machines, one by one.


Exam Experience

Exam Preparation

There was a three-month gap between the end of my lab time and my exam. I completed a few HackTheBox machines during this time, but for the most part took a break from security training. I had planned to ramp up practice during the weeks leading up to the exam, but this did not eventuate, and I ended up feeling a little out of practice as I loaded up my virtual machine.

Nonetheless, I managed to gain full access to all of the available exam machines in 14 hours (excluding breaks). In those 14 hours, I also completed most of the documentation as I worked. I spent another 5 hours the day after neurotically reformatting the report, and ensuring that the writing style, tenses, and narrative perspective were consistent throughout.

I scheduled the exam to start after my usual breakfast time, planning on spending the full day working on the exam. The proctoring session verification checks ran a little overtime, as it was insisted that Chromium was not their supported browser, Chrome. This is technically correct, but I was feeling stubborn. Luckily, I got away with it - and the session proceeded without issue.

Exam Scoring

The exam requires a total of 70 points for a pass. There is a buffer overflow machine worth 25 points, another machine worth 25 points, two machines worth 20 points each, and one final machine worth 10 points. This adds up to 100 total attainable points within the exam environment.

Another 5 bonus points are available upon submission of a completed lab report, including ten lab machine assessments, and every exercise from the training PDF.

My strategy was to break into the machines with the highest point values first, as I felt that the confidence boost from completing those would be helpful for me as the exam progressed.

I did not submit a lab report, since I believe it to be a large time commitment for little gain. Instead, I spent most of my lab time on ensuring that I had completed all of the lab machines.

Exam Timeline

Once access was granted, I started by running all of the enumeration scripts in parallel on all of the machines, while working on the buffer overflow machine. The enumeration was completed in the background within 30 minutes, while completing the buffer overflow exploit set me back by two hours. I attribute this to having forgotten the location of most of Immunity Debugger's functions during the months between solving the lab exercises and the exam. As well as relearning the debugger, I had to perform most of the steps a second time, because I did not take enough screenshots on the first attempt.

After this, I started on the 25-point machine, and completed it within the next five hours. I was lucky enough to not fall into any rabbit holes. Approximately half of this time was spent converting my initial one-off access methods into something that could be scripted and documented.

Continuing on, I picked one of the 20-point machines. Initial access was relatively quick to attain, but I had trouble finding a privilege escalation. After some further research, I found a working method to gain the needed privileges. However, I was unsure whether a certain part of this method would be allowable for the exam. I planned to revisit this machine in order to find another method in case I needed to guarantee the privilege escalation points, but this proved unnecessary, so I submitted the method that I was unsure of. The initial foothold took two hours, and privilege escalation took another two hours.

I turned to the 10-point machine next, which was relatively low in complexity. However, there were plenty of rabbit holes - I can see how being stressed or sleep-deprived could cause issues. I managed to complete this machine within one hour.

I had a larger challenge with the last 20-point machine, since I could not spot any useful points of entry within the enumeration logs, so I left this one until last. Upon returning to it, I discovered that simply reverting and scanning the machine again displayed numerous services that had not been discovered on the prior scan. This was most likely due to the initial scan being conducted in parallel with the other machines. Once the complete scan results were available, the initial foothold became clear. Privilege escalation was complete after some tinkering, and overall this machine was taken over in two hours.


Exam Thoughts

Sleeping

It was around my usual bedtime when I received the complete scan results for the final machine. Since my exam was scheduled to end during the following morning, I had to make a snap decision - do I sleep now, or push through and sleep later?

In hindsight, I should have opted for the former option, as I was already in the mood for some sleep. However, I ended up staying awake for around two hours longer than usual, in order to complete this final 20-point machine. This decision did not end up impacting my exam result negatively, but I was needlessly tired for the next few days. The same work could have been done the following morning, and if I were to do the exam over, I would opt for that.

Report Writing

For my report, I used a template from the Offensive Security Exam Report Template in Markdown project - specifically, the whoisflynn version. This template presented me with a cohesive, coherent, and complete structure to build up my notes with as I worked. Having the template available saved me a lot of preparation!

I modified the included report generation script to automatically generate my report using the whoisflynn version of the template, instead of presenting me with a set of menus.

This script handily ensures that the filenames and compressed archive are in the specified format, as required by OffSec.

generate_exam_report.rb
#!/usr/bin/env ruby
src = 'exam-report.md'
exam = 'OSCP'

# Enter your OS id
osid = 'OS-XXXXX'

# Choose syntax highlight style
style = 'breezedark'

# Generating report
puts 'Generating report...'
pdf = "#{exam}-#{osid}-Exam-Report.pdf"
%x(pandoc #{src} -o #{pdf} \
  --from markdown+yaml_metadata_block+raw_html \
  --template eisvogel \
  --table-of-contents \
  --toc-depth 6 \
  --number-sections \
  --top-level-division=chapter \
  --highlight-style #{style}
)

# Generating archive
puts 'Generating archive...'
%x(7z a #{exam}-#{osid}-Exam-Report.7z \
  #{File.expand_path(pdf)}
)

The PDF generated by this process had a total length of 74 pages. while the source file contained roughly nine thousand words. More than half of those words were scan reports and code.

Exam Style and Length

I am not a fan of the unspoken expectation of "all-nighters" as a regular business practice in information security. It strikes me as being fundamentally unhealthy, and I have no intention of pushing myself in that manner on a regular basis. However, I do have a perverse appreciation for the gatekeeping that is provided by the 24-hour OSCP certification exam. Since it is so incompatible with any full-time role and most family situations, you have to be passionate about the infosec industry to go through with it. I feel that it makes the certification more valuable, since anyone who has earned it must have experienced a certain amount of stress, while also spending a fair amount of time researching exploits, developing their skillset, and honing their methodology.

That said, there are plenty of negative effects of this style of exam, and seeing that all further courses offered by Offensive Security use the same exam style has me feeling far less motivated to continue taking courses with them - at least while I am not employed in the field. Now that I have this entry level certification, I would rather spend time on bug bounty hunting, or some other form of real-world experience.

Special Thanks To...

First of all, it is worth pointing out that the time taken by this type of study can easily conflict with many of the other priorities of life. I want to thank the people in my life for being supportive of my studies - it really helps.

The enumeration provided by nmap was sufficient to find the foothold for each of the exam machines. I can't praise the authors of the nmap and autorecon tools enough, including all of the associated single-purpose scripts and utilities. After a quick configuration change to use the ffuf tool for HTTP enumeration, autorecon automated the initial enumeration phase almost entirely for me, thanks in large part to the reliable port enumeration provided by nmap.

I am also indebted to the Offensive Security Exam Report Template in Markdown project.


Tips

Unsolicited Advice

Take these suggestions with a grain of salt, as my experience will most likely be different to yours. We are all unique individuals, with our own wildly diverging paths!


Thank you for reading this writeup of my PWK/OSCP experience, and I hope that some part of it was - or will be - useful to you.