My Journey To Offensive Security Certified Professional (OSCP)

About Me:

Hello all, I thought that I would write this review as it seems like a good way to share my experience with everyone. I started the Offensive Security Certified Professional-Penetration Testing with Kali Linux course in April of 2018 and received my confirmation email toward the end of June 2018. Really, the whole process from start to finish took about 140 days, as I started my journey with Hack the Box. Education has always been sort of an addiction of mine, and I like to learn. While I hold a BA in Sociology, an MS in Criminal Justice, and I am five classes from an MBA, I thought, why not see if I can achieve this certification?

I had always been interested in hacking and learning code and had played around a little with different hacker tools, and I was very familiar with Kali Linux, as I used Kali for computer forensics and overall Linux learning. Being bored one day, I had remembered about an old website that challenged people to hack them and began to look for the site online. Not long after doing some Google searches, I came across Hack The Box (HTB), and the challenge was on. Even to get into the site, you had to hack the invite code to send an invite to yourself, and once I was in I couldn’t put it down. It wasn’t long before I reached GURU status and made top 20 of the hall of fame. I was pretty good at this. However, you couldn’t just place “I’m good at HTB” on your resume, so I began to look for certifications in offensive security.

 

OSCP:

My search ultimately led me to Offense Security’s Offensive Security Certified Professional Certification, or OSCP certification. This seemed to be all the rage and everyone I talked to aspired to pass this exam. After reading about it, it was easy to see why. To take the exam, you had to sign up and take their Penetration Testing with Kali Linux course. This course, overall, is affordable and definitely worth the money. I signed up for the 60 day course, thinking that this would give me the time I needed to complete the lab exercises. It is recommended if you have no experience that you at least do the 60 day lab, but probably should do more. Being that I made Guru in HTB, I thought, why not do the 60 days?

Lab:

After a few weeks, I got my course pdf, video, and vpn connection information, and I signed on right away. At this point, I dropped HTB and focused strictly on the OSCP lab. Talking with other students, I found that some started reading and doing the pdf exercises and others just dove into the lab, I just dove in. Now I will say that the pdf and video offer a lot of important information, and is a must read and watch, but I didn’t spend the time to go through the exercises. For me I like the hands on and the reading and doing some of the basics were a waste of my lab time. The first day I knocked out 3 or 4 boxes and began to think that this was way too easy. However, that would bite me in the ass later. I wasn’t doing post exploration and ended up having to come back to those boxes and search them for loot. Overall, the lab was basic enumeration and exploit searching, a few CTF type boxes, and BOF’s. I finished the lab in under 40 days and felt ready to take the exam, so I signed up, thinking that if I didn’t pass, I still had time to go over all the boxes I was able to root, and see what I may have missed. Good thing I did this!

 

Exam Attempts:

I set the first attempt on the 9th of June, and man was it difficult. I spent 22 hours banging my head on my keyboard. I was able to root the 10-point box, a 20-point box, and the BOF. However, for the love of God I couldn’t find the foothold on the other 20-point box. No matter what I tried, I just couldn’t get anywhere. So, I finally fell asleep, and my wife woke me up after 2 hours of sleep and told me to get back to it. At this point I had a few hours left before the exam was over and didn’t see myself getting anywhere, but I still tried. 15 minutes before my time ran out, I found what I was looking for. Man, that really was a relief, and I was mad at myself because it was such a simple thing that I just kept overlooking. I don’t think I ever typed so fast in my life than I did in that 15 minutes, but still wasn’t able to find my way, and my vpn was disconnected. The first attempt failed, but I learned a lot, and wasn’t discouraged. I loaded up my browser and rescheduled for a second attempt. The second attempt would be set on June 24th, so I had some time to go back through the lab and to do some of the vulhub vm’s (I really recommend them). When the 24th finally came around I wasn’t feeling as stressed, and at 12pm central time I began the exam for the second time. This time I started with the BOF and was able to knock that out within an hour. That left me with 23 hours to root 3 boxes. The next step was to root the 10-point box, and after some enumeration and a little luck, I was able to root that box as well. So, with 35 points and lots of time, I picked one of the 20 point boxes, and began my enumeration.

These 20-point boxes could be very hard, and very tricky. I just kept telling myself to keep it simple, and not overthink the exploits. Unfortunately, coming from HTB, this wasn’t the easiest thing to do. Over a bit of time, I got a low-level shell and was off to find the privilege escalation. I got stuck here for awhile and had to step back and start my enumeration over. Again, I thought, keep it simple and use what I learned in the labs. After hours of looking and trying different things, I found what I was looking for, and again it was right in front of me. I used Google to search for information, and in no time, had three boxes out of the way. At this point, I was feeling good, as I had a lot of time left and just needed one more box. So, I started my enumeration on the 4th box, and I swear I thought I was going to pass out when I realized that it was the same box that got me the first time around. I had to step away just to grasp what I had just seen. After thinking about it for a minute or so, I sat back down and was like, “Okay, I got this!” I was able to get back where I was the first time in just a few minutes and began again to enumerate. Of course, I ran all the regular scans, and took screenshots for the report I would need to write the next day. An hour went by, and I still couldn’t move past that original foothold, and then 3 hours, then 6, and still stuck. I was so upset that this box was going to be the death of me again.  After taking a break and again telling myself to keep it simple, I started enumerating again, this time in a different manner.

I went back over a few things I thought should be vulnerable and tried different ways to exploit it. Right when I was ready to give up, I finally found the thing I needed to get a low-level shell. Okay, now to get privilege escalation, and then I would have the points needed to pass. From the hours of enumeration, the privilege escalation was already in my mind and I was 99% sure of what to do. However, at that time I wasn’t thinking right and was so tired. I kept thinking I needed to do a certain thing to exploit it and it wasn’t working. Man, this box just didn’t like me.  Again, stepping way for a few minutes and playing some Fortnite, I came back with a plan, Keep It Simple! Within a few minutes, I had root and the 75 points I needed. WOW! Once I got the screenshot proof, I began to go over all the things I would need to write the exam report; screenshots, notes, and making sure the proofs were submitted in the exam panel. After 14 hours, I was able to sleep. The next morning, I still had a few hours to double check my notes and screenshots and was ready to begin the report.

Overall:

It wasn’t even two days, and I had my confirmation email saying that I had successfully passed the Offensive Security Certified Professional Exam and I was now OSCP certified. I couldn’t believe it! In just 140 days, I was able to pass one of the hardest Offensive Security exams available.

I really enjoyed my experience, learned a great deal about network penetration testing, and would recommend the course to anyone that is interested in cyber security and hands on learning.

While this isn’t a technical review, I thought I would share my overall experience and the fact that you should never give up, as the root shell is always just right around the corner.

The question now is, what’s next?

 

 

Thank you, Offensive Security, and everyone else that was supportive in this endeavor.