Preface

I recently had the pleasure of taking part in the Penetration Testing with Kali course and obtained my Offensive Security Certified Professional (OSCP) designation. I’ve had my eye on this course for well over a year and I finally set out to take the course. The timing for me was less than ideal – my course started 2.5 months before my wedding, and my exam was scheduled for a week before my nuptials 😮 I read quite a few course reviews prior to me starting the course so hopefully someone will stumble across this one and find it useful.

Experience

I’ve been working in the IT industry for just over 7 years in a SysAdmin capacity in (mostly) Windows Environments so the majority of my IT security experience has been practicing defensive security and not offensive.  Though I have worked mostly in Windows environments I am quite comfortable in a Linux environment and have experience with Bash and Perl. I did a quick intro to Python before beginning this course, watched a few buffer overflow / assembly intro videos prior to the course.

The Course Materials

The course materials were fantastic. The videos and the written lab materials complement each other well, and it gives the student the feel of “We’re going to show you how to crawl, but it’s up to you to learn how to run”.  This is exactly the type of teaching I thrive on – give me the basic tools and I’ll do the rest. There is no hand holding here, so be prepared to do a lot of extra research on topics. As the course motto goes, “Try Harder”.

The videos and the lab notes did a fantastic job of breaking down the course content into easy-to-understand basic concepts while making the student expand on the basic concepts.

The Labs

If I’m to be frank, not having to set up your own labs on VM’s is probably worth the course cost in itself. That being said, the labs were fantastic and I enjoyed every minute of them (even when I wanted to cry in frustration). I’ll admit that it took me a little while to get into the spirit of the labs – really thinking like a nefarious party and what they would do in the situation was tricky for me at first. For the first couple of boxes I compromised I made note of the “proof.txt” file and simply moved on. This was a critical mistake as I found myself having to re-compromise machines and look for loot or info on other boxes / users all over again.

I was dedicated to the labs, but ultimately I didn’t get nearly as many compromised as I would have liked. I think my final count was 28 total compromises with a few low-level shells (out of 50 or so machines). There were several notorious boxes I didn’t even get a stab at simply because time didn’t allow. With the wedding looming and the reality being that I couldn’t justify spending another $150 USD for less than the 15 days of lab time I would have had, I swallowed my pride, let the lab VPN drop and set about to create a game plan for the exam that I had scheduled the following Friday.

The Exam

Even though the lab VPN had dropped I knew I could still prepare for the exam. My thought process when formulating my plan was as follows (note that this was simply my thought process and I won’t confirm or deny whether my assumptions were correct).

  • From reading other OSCP course reviews I knew there would be a Buffer Overflow example on the exam. Consider this me doing my OSINT on the target 🙂 I made sure I was very comfortable with BO’s and reviewed the process several times prior to the exam.
  • I figured that due to computational limits that some students might have, complex password attacks would likely not be present.
  • I chose not to focus so much on client-side attacks as I did not think they would be present
  • I spent quite a while focussing and brushing up on privilege escalation techniques as I thought they would be an important part of the exam.
  • I did not have a formal game plan as to how I would utilize my 24 hours – I figured I would roll with the punches.
  • I did NOT script my enumeration process. I know that some recommend doing this, however I didn’t have the time to create the scripts and I felt more comfortable running the commands manually.

The exam started at 9 AM on a Friday morning. Right away I started on the BO challenge and had popped that box in 90 mins. It would have been quicker had I been a bit more thorough in a particular step but I was hasty and it cost me some time. Lesson learned.

I managed to get a limited shell  on a second machine quite quickly but efforts to escalate were not working for me. I had an exploit I thought would work but I could not get it to compile. I even downloaded a copy of the exact OS, pre-compiled and transferred the exploit to the target machine and no Bueno. This was obviously not the vector that needed to be exploited. I put that machine on hold and went after another big fish.

I must have spent a good 6 hours on that box and got nothing. They say that the definition of insanity is doing the same thing over again and expecting a different result.  That was this box for me. I was getting nowhere fast so I needed to change my focus.

I turned my focus to another machine and managed to get a foothold with a bit of patience. The privilege escalation practice and studying I had done paid off and I was able to escalate quite quickly with this machine. Just like that, I was back in the game.

I went after the lowest point value machine next. After a couple of hours I found the way in and was greeted with a full shell.

At this stage I had 65 out of the 70 points required to pass – I figured that either another low-level shell on the last machine, or completing the other low-level shell I already had would lead to a successful exam. I decided to put the escalation techniques back into effect and focused on the low-level shell I already had. It took about 4 hours but I managed to find the attack vector and let out a big smile as I type the “id” command and was greeted with uid=0(root) gid=0(root) groups=0(root). It was now 4:30 AM and I headed to bed, woke up at about 8 to re-exploit all the machines and take the appropriate screen shots.

With 75 points I knew I did not have much wiggle room as far as point deductions were concerned for mistakes in my exam report. Offensive Security has very specific things they want to see in your report and they explicitly state what will cause you to lose points. I put probably about 8 hours into my exam report – if I read it once I read it 10 times to ensure everything looked good. At about 6 PM Saturday I submitted my report an anxiously awaited word. I did not get to submit a lab report (reasons below) so I was quite nervous about any point deductions in my report. As of 10 AM Monday Morning I received the email stating that I had passed.

Tips and Advice

  • Don’t use keynote for documentation. I know Offsec recommends it, but I had problems with it twice that prevented it from opening files I had already created (the second time being on the exam, which left me without my cheat sheets). I don’t have a viable solution but I would recommend not using it based on my experience.
  • Find a way to control your emotions – This was critical in my passing of the exam. You need to find a way to suppress your anger that an exploit isn’t working, your fear that time will run out and your frustration that you can’t find an entry point.
  • Get your hands on a good privilege escalation script – there are lots of great resources out there and this really helped me on my exam.
  • Beware the Red Herring – There were times I thought I would roll over a box and be done in 15 minutes and walk out 10 hours later with nothing to show for it. Realize when you should take a step back and re-assess your enumeration.
  • Don’t use the exploit-db.com search function – I found it frustrating beyond belief. I found it much easier to use Google and use site:exploit-db.com prior to whatever exploit I was looking for.
  • Be prepared to put the time in. I know everyone says that but it’s true. I was probably putting 3 hours on weeknights, and about 12 – 15 hours on weekends.
  • Don’t set up a listen port for a reverse shell on a port you’ve explicitly blocked – Yes, I’m afraid I did this. I quite honestly spent 2 days bashing my head trying to figure out why my reverse shell wasn’t working despite only to find the connection being dropped because of a firewall rule that had been set up in an earlier exercise. I will wear the egg on my face so you don’t have to.
  • Don’t think that you just sign up and take the course. I made this mistake thinking I just signed up and the course started – not so. I signed up and couldn’t start the course until 5 weeks later. This is part of the reason why it finished so close to my wedding.
  • Learn from your mistakes – there will be plenty but mistakes and failure are all a part of learning.
  • Always keep it simple to start with. Sometimes privilege escalation can be as simple as sudo.
  • Don’t be afraid to ask for help or use the forums – sometimes you’ll need a hint as to how far outside the box you may need to think to compromise a server.

External Resources (too many to list, but these were a big help)

Penetration Testing – A Hands-on Introduction to Hacking (Georgia Wideman)

Python Crash Course (Eric Matthes)

The Hacker Playbook 2 – Practical Guide to Penetration Testing (Peter Kim)

Fuzzy Security – Windows Privilege Escalation Fundamentals 

What’s Next?

I’ve already set my sites on the OSCE certification, though there is a lot more Axe Sharpening to be done – perhaps sometime in the fall.

If you have any questions about the course or my experience please don’t hesitate to ask – I’d be happy to answer.