It’s been about a week since I’ve fully recovered mentally and physically from my Offensive Security Certified Professional exam. A lot of people wonder (myself included) if they are ready to tackle OSCP. You’ll often see people ask OSCP credentialed individuals on what their background is and how much effort did they have to put into OSCP. So rather than give you the “this is how OSCP works” spiel, I’ll aim to answer those questions!
My Security Experience
I did general IT help desk/administration for about a year before I got into security. I have specialized in security for about 4 years. In that time I have done vulnerability detection, analysis and remediation for networks of up to 3,000 hosts. I have personally conducted a few penetration tests and also acted as a defender during red-team engagements. At the present, my day-to-day job is the management of several security teams. I have participated in around a dozen CTF’s, developed security training networks/scenarios. In my personal time I have created this website, challenged myself with overthewire and vulnhub. I’m very active in online security communities. Finally, I’m on the board of a STEM non-profit to helping High School students learn about security. I would say most of my experience and training has been in Incident Handling and Red-Teaming. I’m very comfortable in linux, windows and networking fundamentals and can read python but can’t write python “fluently”. I can hack together my own scripts in a few languages with the help of google and not put forth too much effort.
OSCP Exercises and Lab
Work paid for 90 days of lab time but I managed to knock everything out in 60 days. With a baby on the way I wanted to get my certification done before my wife entered the last month of her pregnancy.
According to my OSCP log the videos and exercises took me about 40 hours. I would do the exercises and do your lab report appendix at the same time. The grading rules for OSCP has changed as of 31 May 2017 and you can only receive five points for your lab and exercise report. Five points may not seem worth it but it will get you comfortable with creating a format and workflow for your exam guide.
I spent about 43 hours in the lab and in that time I managed to break into 19 boxes, so I averaged 2.2 hours per box. I did look on the forums at times to see if my attack vector was correct or if I was going down a rabbit hole. I used metasploit for two really easy, very obvious boxes in the very beginning and as I spent more time in the lab I shied away from metasploit completely, I very rarely used meterpreter. Of the “famous” boxes I was able to pop pain and sufferance without too much of a headache, humble was more trouble than it was worth. I would say leftturn was probably my favorite box. For me, the biggest takeaway from the labs was understanding the depth or difficulty I was expected to understand. Often times I would take a step back and ask myself “Should I be completely rewriting this exploit?”. Understanding when you’re in a rabbit hole or when to move onto something else is a skill all by itself.
When Did I Feel Ready?
To be completely honest I never felt completely ready because I had no idea what to expect on the exam. I will tell you that if you can complete alpha, beta and gamma with a high degree of confidence you’re probably at a good spot.
I scheduled my exam for 10am and worked for a full 24 hours. In that time I ate lunch, took a shower, walked around outside a few times, did some stretching and drank two energy drinks. I was able to root three boxes and get limited shell in about 14 hours and really struggled after that. In hindsight I should have slept for about six hours and spent another four going at it, I think I would have been better off. I highly recommend you sleep during your exam and take breaks. When I started I felt overwhelmed and rushed but I found out that there was no need to feel that way. I didn’t need metasploit or meterpreter but I did use it near the end just for fun.
- People recommend keepnote but I like cherry tree. It allegedly fixed the crashing issues that keepnote has. I organized like this:
- Stay organized! I got kind of lost in the “fog of war” and had stuff scattered everywhere for the first few hours of my exam. During my lab time I was very organized and methodical but I probably let my nerves get the best of me. Take a breath, stay on task, and stay organized. There is plenty of time!
- https://github.com/1N3/Sn1per3 – Recon Script that is SUPER intensive. One host will take a while but the output is fantastic and very thorough. Super loud, I would never use this in a real pentest if I was concerned about stealth. NOTE: This tool has some autopwn features to it. Be careful when using it so you don’t violate any rules during the exam. Knowing what your tools do is very important!
- https://github.com/codingo/reconnoitre2 – Pretty good script, kicks out a “recommendation” output file for what it finds. Some of its paths are customized for the writer and so it doesn’t work exactly right. I used this for the majority of OSCP, not stealthy either.
- https://github.com/g0tmi1k/os-scripts3 – Automated Kali box setup. He adjusts the box for himself but there is a lot of great stuff he does in there. It did break a few things and I didn’t really like what it did to my VIM, had I used it more during my labs and felt comfortable with it I probably would have used it during my test.