I passed the OSCP. Finally. Here’s how.
It’s been a long time coming, and after almost a year of effort I am thrilled to have finally pushed this over the line. Going from next to no experience to passing the OSCP exam truly is one of my most difficult accomplishments.
Here are my general thoughts on this entire experience before, during and after this certification process.
Penetration testing, red teaming and offensive security in general has always been an area of information security that fascinated me. Ever since I first learned about these types of jobs I knew I wanted to at least learn the required skills to be successful in this area. After passing the Security+ exam and settling into a job as a Security Analyst, I felt that the time was right to begin studying how to do basic penetration testing.
Another reason is that I wanted to challenge myself by studying toward a certification on the other side of the proverbial security coin. I feel like Blue and Red Teams are often a bit too separated in InfoSec, so I wanted to learn more about Red Teaming techniques to help bridge this gap.
As I researched my options, I quickly came across the OSCP and knew that this was what I wanted to strive toward. It was one of the only certifications that offered a fully practical course and exam, so the opportunity to gain actual experience along with a well respected certification was a no brainer. I downloaded the latest image of Kali Linux and set off on the long and tiring road to passing the OSCP.
Preparing for the PwK
I honestly didn’t have a lot of direction when I first started out. I read some books, watched video courses and generally stumbled my way around the Linux command line. Through consistent exposure I slowly started to become more comfortable with the tools and concepts. By purchasing a VIP subscription to HackTheBox and following along with IppSec’s walkthroughs, I was starting to get a real feel for the processes and work flows required to make progress on various vulnerable machines.
Eventually, I got impatient of preparation and felt like I needed to pull the trigger. I started the PwK course.
Penetration Testing with Kali Linux
I made my way through the PwK courseware, but didn’t quite manage to complete all of the lab exercises. I had a few issues with some of these exercises, and didn’t feel like it would be worth my while to spend the time and effort required to troubleshoot them. I was itching to get stuck in to Offensive Security’s vulnerable machines.
In all honesty I stumbled my way through a large part of the lab environment, relying heavily on the forums for hints to help me along. I still didn’t have my own processes down to navigate my way through each machine, nor did I have the skills to make exploits work when things weren’t going as planned. Although I managed to complete 28.5 machines, I didn’t have much confidence in my ability. I headed into my first exam attempt hoping for the best.
The Exam (Attempt #1)
As I wrote about in another post, I failed. I got much, much closer than I expected I would but ultimately fell just short. Finishing with 3 root shells and 1 low privileged shell, I ended my first exam attempt with 65 points. I spent so long trying to get the final privilege escalation to work, to no avail. A couple days later I had a lightbulb go off in my head as I realized what I had been doing wrong. If only I had been able to connect the dots during the exam this would be a much, much shorter post.
After all of this, I took a bit of a break to reset mentally. I had been working so hard up to this point that I felt a little burnt out. As life would have it, I ended up getting a new job in a new city, so my break was extended out to about 3 or 4 months as I settled into a new lifestyle and routine. Whilst my skills did deteriorate a little during this time, I feel it was necessary for me to step away from the OSCP for a short period while I focused on other areas of my life.
Coming Back Strong
I played around a little with the PenTesterLab platform, completing the Web Essentials badge. One of my weak points from the previous exam attempt was testing web applications – SQL injection and XSS in particular – so I thought this would be a good way to target this weakness. I found that despite the range of content available on this platform, I wasn’t getting a huge amount of value out of it compared to the practical experience vulnerable machines provided. I decided to leave PenTesterLab and after another brief break, shift focus back towards HackTheBox.
Finally, I felt like I was ready to come back with some serious steam. I started by jumping right into the HackTheBox platform, getting root on 5 of the active machines and gaining the ‘Hacker’ rank. After deciding the remaining active machines on HTB were more difficult than what was required for the OSCP, I again shifted my attention to chasing a more intermediate certification – the eJPT. Although in hindsight this certification was a level below where I was at, it was still a fun little exercise that helped me build up some extra momentum.
I then spent the next two months in the Virtual Hacking Labs environment, which was by far the most beneficial time out of my entire OSCP experience. I learned so much from the course material, lab environment and users on the unofficial VHL discord it put my other efforts to shame. I compromised 28 out of 42 machines in this environment and learned something new from every single one. I’ll write-up a full review of Virtual Hacking Labs shortly, but I cannot recommend it enough. A special shoutout needs to go to discord friends ^Sol#9558 and t0thkr1s#0880, who were extremely helpful throughout my time in the VHL labs.
The Exam (Attempt #2)
I started the exam at 12pm Saturday, which is a little later than what I ideally wanted. My preference was for an early morning start to maximise the amount of time I had during the day, but this was the best timeslot I could get when booking the exam. OffSec had improved their proctoring service considerably since my last attempt, and I had no issues getting my exam environment up and running.
Like most exam takers, I started with the 25 point Buffer Overflow machine, and was able to knock this out in a little under an hour. I quickly moved on to the 10 point machine, and finished this off in a similar amount of time. 2 hours in and I had 35 points, a solid start.
This is where I hit my first wall, I cycled through the remaining 3 machines, unable to make significant progress on any of them. Just as I was starting to feel desperate, I made a breakthrough on a 20-point machine to gain a low privileged shell. From here I was able to quickly escalate the privileges to root. 55 points and about 7 hours down.
With 2 machines left, I once again spent multiple fruitless hours trying to gain a foothold on either of these machines. Finally, at about 12 am, something clicked. I had gained a low privilege shell on the other 20-point machine. Yet another quick privilege escalation took me to a total of 75 points, and I had secured the pass. I was pumped.
For completions sake, I spent some extra time on the final 25 point machine. Just before I decided to call it a night, I threw a Hail Mary exploit attempt and to my surprise, this worked. I had gained the final low privileged shell. I spent about an hour or so attempting to escalate this to complete the 5/5 set, but couldn’t find anything and decided to call it a night so I was fresh to write the report the following day. Finishing with an estimated 85 points, I went to bed at about 2:00 am.
My head was still spinning as I was lying in bed, with the copious amounts of caffeine no doubt playing a part. Despite not getting a great deal of sleep, I woke up at 7 am to go over the machines I had done, and triple check I had adequate screenshots and proofs. I then ended my VPN connection to start on the report.
This was a generally pretty easy exercise, I had already put considerable effort into the report from my previous attempt, so I was able to leverage that format by replacing only the relevant sections. I took my time with this, and finished my report at around 4pm on Sunday.
OffSec noted that results would be sent to me within ‘10 business days’, however they were able to get these results to me less than 48 hours after I submitted the report. I had expected to pass this time around, but it was still a huge relief when I saw the confirmation email come through. After a solid 11 months of on again off again study, full of ups and downs, I was finally an Offensive Security Certified Professional.
What changed between attempts?
The obvious improvement I made between exam attempts was my ability to escalate from a low privileged shell to root or admin. In particular, my privilege escalation ability on Linux boxes was night and day compared to my first attempt. Where I used to dread having to do this step, I now really enjoy the process and the satisfaction gained from escalating to a full root shell. In my second exam attempt, I escalated privileges on both the 20 point machines in about 30 minutes each. This saved me a lot of time in the exam and provided a much needed moral boost. In my first attempt, I was one privilege escalation away from passing and I set out to improve in this area. I was very happy to see that these efforts proved to be invaluable in me being able to pass.
In general, I was just far better on my second attempt than I was on my first. I attribute this to nothing else but practice. I spent more time on vulnerable machines and I became much more comfortable with what I was doing as a result. The Virtual Hacking Labs and HackTheBox environments are excellent, I would highly recommend them to anyone working their way towards the OSCP.
Final Thoughts and Moving Forward
I’m not too sure where I want to head now that I’ve achieved the OSCP. One option is to go deeper into the penetration testing field, focusing on bug bounties and web applications. Alternatively, I am interested in cloud technologies, so pursuing cloud security certifications is also something to consider. I need to take some time to decide which path I want to head down, but I’ll be sure to write up a new post once I have so stay tuned.
I am immensely proud to have passed the OSCP. The amount of effort and dedication I put in to this certification is something that only I can truly appreciate. I learned so much over the past year that it seems strange now to reflect back on how much I have progressed. The journey of going from knowing next to nothing about Linux and penetration testing, to being a qualified OSCP is something that will stick with me for years to come.