In December 2018 I had the pleasure of undertaking and passing the Offensive Security Certified Professional (OSCP) exam. And while there are no shortage of OSCP write-ups and postmortems, I thought I would give back to the community and share my experience with doing the proctored version of the exam in the hope that soon-to-be-OSCP's may find it helpful. (The enforcement of proctored examination came in August 2018)
If there's one thing to take away from this post it's not that by following this guide you will pass the exam, but rather by going through the OSCP you will learn a lot about yourself -- as far as I can tell this is equally as rewarding as passing the exam itself. The constant dead-ends, unknowns, and the elation of finally achieving your goal will put you on the emotional roller-coaster. It is for this reason that your willpower, grit, determination and perseverance will truly be evaluated. And that's just the beginning.
Should I go for the OSCP?
It is not uncommon to see this question posed on various forums where original posters range from aspiring security engineers, penetration testers, all the way through to seasoned professionals. And the answer is: it depends. The cost of purchasing lab time and sitting the exam is relatively inexpensive compared with other well-known security certifications, but one key area that is often overlooked is time. (Hint: you will need a lot of this!)
At a minimum it pays to have some of the following prior to undertaking the exam:
- Good knowledge of the command-line. There's no way around this, and as an aspiring or current security professional this should be second nature to you!
- A good grasp of TCP/IP and networking fundamentals. This includes understanding how computers speak with each other, reading packets on the wire and understanding sockets, common ports and protocols
- Familiarity with operating system concepts. This includes both Windows and Linux systems, how storage, files, permissions and processes work
- A good understanding of programming languages. While being fluent in a particular programming language is helpful, it is not necessary to pass this course. A good grasp of bash, python and perl will go a long way though
Three things - Knowledge of operating systems, networking (TCP/IP, ports & services) and programming skills will greatly improve both your experience with the course and your chances of acing the exam!
The labs are awesome and this is where the course really shines. I thoroughly enjoyed going through the various Windows and Linux machines getting an understanding of "how" these machines work and communicate with each other. I guess you could say it's kind of like a game! The machines themselves have personalities and some are inextricably linked with others.
You will get your feet wet against a variety of hosts on a virtual network. The difficultly of "popping" these hosts range from trivial (~10 mins), all the way through to chaining multiple vulnerabilities obtaining a foothold and escalating privileges. Depending on your level of competence some of these machines may take hours and even days. There are five machines that are notably mentioned in various posts that are considered close to what you would expect in the exam environment: sufferance, humble, pain, gh0st and fc4.
I recommend taking your time to understanding the purpose of the lab machines. In essence, what services are running on the machine, why is it running those services and how said services function? This will force you to think holistically about the problem you are trying to solve. In the real world of offensive security this behaviour is expected. Indeed, being methodical about your approach will yield much more meaningful results as opposed to "throwing the kitchen sink" at the problem.
- Take your time to understand the machines
- Get an enumeration methodology on lock - quickly! Setting up shell scripts can greatly help with this
- Avoid metasploit for exploitation where possible - always opt for the manual approach first. Hint: You'll only get 1 shot at metasploit in the exam, and truth be told it is unnecessary
- Document your approach. This includes both failures and wins
- Enumerate, enumerate, enumera... you know this already. Always try the front door first
- Put yourself in a sysadmins position. What shortcuts might they take to save themselves time/ effort?
The exam (preparation and guidelines)
The exam is a 24 hour journey which involves exploiting 5 target hosts and obtaining root/ administrator privileges, after which you will have another 24 hours to submit a full penetration testing report in adherence to Offensive Security's guidelines. It goes without saying that the key takeaway here is enumeration. In other words, be sure not to skimp on your information gathering, reconnaissance phases and ensure you have a good methodology for tracking the what/ why/ how.
Without breaking OffSec's guidelines on publishing information relating to specific exam machines, what I can tell you is that skills you develop throughout your lab journey will be instrumental to succeeding at this point. One key difference is that you will need to manage your time appropriately. You have 24 hours, so think about how you want to divvy that up between taking breaks, eating, sleeping and time allocation to specific machines.
This rang especially true with me doing the proctored version of the exam which requires you to install both webcam monitoring, and screen capturing software on your host machine. The instructions for doing so are sent in advance with links for downloading the executables. (This allows you to verify yourself with OffSec and have them watch both your work environment and screen at all times)
I estimated a couple of minutes getting this set up which turned out to be quite costly in terms of time! Even with a decent Internet connection (100mb up/down) you have no guarantee on the bandwidth of the destination server. In my case, this took over an hour to get sorted with 50 minutes of that waiting for the download!
Nevertheless, the exam is simply the final hurdle of what can only be described as a both a gruelling and exciting journey toward getting certified. And by minimising unforeseen circumstances this will give you the best opportunity to be at your best on game day.
Exam and report tips
- Have a play with editing images before-hand whether that's highlighting the important parts or annotating them with shapes, arrows or text
- Get the report template nice and clean before starting
- Leave tmux open the whole time and organise machines into their various workspaces
- Download the webcam and screen recording software before starting! (doh..)
- Water, brain food and breaks every two hours worked for me
- Log all steps you’ve taken (discovery, enumeration, exploitation) in a text file somewhere.. or you could use some other reporting software to help organise. I found a markdown file for each machine was sufficient for me
- Relaaaaaxx.. you've got this
What a journey - I can highly recommend the lab and exam to anyone who wishes to put their time management, multi-tasking and ability to perform under stress to the test. There's a reason why so many OSCP'ers feel the inclination to write about their experience because it really does push these attributes to their limits, and in the end you also get a shiny certificate for your efforts! Pretty cool, huh.