OSCP: Offensive Security Certified Professional

Last weekend (June 8, 2019) I successfully completed my path to OSCP (Offensive Security Certified Professional) certification. It was a challenge and the funniest certification I had done so far. I’d like to share this hacking experience with you.

I first mentioned this certification in a blog in April 2018 (in the article How to Hack a Computer in Seconds). At that time, however, I had no idea that there would be more than a year-long journey towards it.

There was still a lot of work to do in 2018 – we moved the company forwards, took on new colleagues, changed processes and I was getting certified CHFI (Computer Hacking Forensic Investigator). So I didn’t get to OSCP at all. It wasn’t until December that I have decided to get a fixed date, otherwise I would never get that certification. So I gifted the certification myself for Christmas, as to start with it on the first January weekend.

What is OSCP certification about?

OSCP is a certification from Offensive Security (creator of Kali Linux), proving that its bearer understands computer security (the technical aspects) and can hack whatever. 🙂 Practical emphasis makes this certification exceptional. The test itself does not include a theoretical test. Instead, you get 24 hours and VPN access to a foreign network where you hack the servers within it. In the end, you will write a report. In fact, a real penetration test.

Everyone who decides to pass the exam must go through a preparatory online course called „Penetration Testing with Kali Linux (PwK)“. It also includes a free exam attempt. This preparatory course is also primarily practical. You get VPN access to a virtual network where over 50 servers are waiting for you, and your goal is to hack as many as possible. 😊

The course also includes PDF textbooks (almost 400 pages) and demonstration videos. Textbooks are rather an introduction to the issue. You are expected to find out more on the Internet for more information.

The price of the course depends on how long you want to have access to the virtual lab. I knew there would be a problem with time, so I paid for 90 days (priced roughly at 26.000 Kč). This is not a negligible amount, but EC-Council training/certification is priced significantly higher.

In my opinion, certification is recognized in both the commercial and security communities, as it cannot be acquired simply by learning slides or test questions. I have tried to find out how many people had already obtained it, but I didn’t find the official number. Since my serial ID was about 44,000, I guess there are about 20,000 OSCP holders in the world (those who have done other Offensive Security certifications and those who have not passed the exam have to be deducted).

What knowledge did I start with

IT is my passion, so I’m always digging into something. For the past few years, I’ve spent most of my time on safety because I care about making our customers secure. I realize the responsibility and consequences of my work on our customers, their owners and employees. So I felt quite confident that I should be able to handle the OSCP.

At the same time, I have already had the following computer security certifications (and I believe that the corresponding knowledge and experience):

• CCNA: Security: General knowledge of security, L2 and L3 security, Cisco ASA.
• ECSA (EC-Council Certified Security Analyst): CEH (Certified Ethical Hacker) extension for penetration testing. I have passed the exam in version 9, so there was a theoretical and practical part (hacking X servers in a virtual lab). In version 10 they divided the exam into two certifications (they probably need to earn more $$$).
• CHFI (Computer Hacking Forensic Investigator): Focused on cyber attacks investigation. Attack detection, compromisation scope detection, remediation, tracking, and the legal minimum.

„Penetration Testing with Kali Linux“ preparatory course

I started with textbooks, it took me about 2 days. Half of the textbooks is about “buffer overflow” and exploit anatomy. I read a great book about this about 10 years ago „Hacking – the art of exploitation “ so it was rather a refresh.

Then I finally went into the lab, which I have enjoyed most of the course. You connect to it through a VPN from a virtual PC (part of the course is a Kali Linux image for VMware Player, which you run on your PC / NB).

Basic course info

• There are over 50 servers/computers with different OSs in the lab (Windows, Windows Server, Linux, FreeBSD)).
• Servers are divided into several parts of isolated networks.
• Each server contains 1 or more vulnerabilities through which it can be broken into.
• Your goal is to reach a “privileged shell” (admin/system/root) on the server and get the contents of the “proof.txt” file (screenshot confirms breaking into the server).
• You share the Lab with other students, so it sometimes happens that more of you attacked 1 server (which may be a problem). Fortunately, it is not so common as there are plenty servers in the lab and every student works at a different hour/day (there are people from all over the world – i.e. from different time zones)
• There is also a web control panel, where you have the option to have 8 servers rebooted every day. Sometimes it happens that someone does not return the server to its original state after its attack and you are unable to attack it successfully.
• As with the course, you will also receive access to a discussion forum where you can communicate with other students and occasionally get some feedback.

What I liked about the course

The Lab has some unique features that bring it closer to real corporate networks:

• Server dependency: Part of the servers is dependent on each other. For example, to hack the server X, you must first hack server Y. You will find some information within it to help break the X server. Sometimes you need to hack up to 5 servers to reach the server X. 😊
• Pivoting: Some servers are located on other networks and are not directly accessible from your VPN. If you want to attack them, you must first break through a server in the network (eg a server with two network interfaces) and pivot through it (port forwarding or some dynamic proxy). This adds an intricate complexity to the hacking process, and you need to think more about the steps. You must double-pivot into the last admin network. 😊

Lab tips

• Take notes on your lab advance. What servers you have already broken into, ones you are left with and what was the penetration vector. It may happen that you miss something on the server (for example, some dependency) and then you have to return to that server.
• This course is not about a ‘goal’ but about a “way”. Every hour you spend in the course improves your skills.
• Quite a lot of lab servers are vulnerable to EternalBlue or DirtyCow. I encourage you not to use these exploits – it’s not the intended way of penetration/escalation (PS: you will thank me for this advice at the exam).
• You must not use the Metasploit framework on the exam (or you can use it only against 1 server). Therefore, I would recommend to not to use it even in the lab, to get used to the “comfort”, but rather to try to understand things in more detail.

How did I do in the lab?

Unfortunately, I couldn’t handle the whole lab in 90 days. As always, a lot of new work has appeared and I have traveled for a month (Cuba and the USA this time). So I have extended the Lab for another 90 days. Finally, I have managed to finish the lab (break all servers) in 5 months. I worked mainly on weekends (regular working Sunday) and holidays (especially April/May was great). Overall, the lab took about 140 hours.

I have to admit that sometimes, I have used the forum to solve the lab. Sometimes I wasn’t sure of the attack/escalation vector permissions. And rather than losing hours of time (which is the most precious for me now) with blind paths, I have looked around for help. Help is only indirect. Specific instructions/steps are not there – it is forbidden to share them at the forum, which is censored.

Final OSCP exam

The final exam is purely practical. No theoretical questions. It takes 24 hours, you can use any open book, do it from your home/office and is supervised (someone monitors you through the webcam and records the whole screen). After completing the exam, you must write a penetration report within 24 hours and send it to Offensive Security (it’s part of the exam evaluation). More information at Offensive Security FAQ and OSCP Exam Guide.

You will get VPN access to a new lab (which is just for you) at the start of the exam and the addresses of your targets. Each target is scored. The maximum number of points is 100 and the threshold for passing is 70 points. Then you have 23 hours and 45 minutes to break them. When I first heard about the length of the test, I laughed at it. I was used to exams of max 2 hours and always ended earlier.

You can book your exam date online and move it up to 3 times. The weekend is the calmest, so I´ve booked my exam on Saturday with the report writing to be done on Sunday. Looking into the reservation system, I found that the weekends were booked for weeks in advance. Fortunately, it usually happens that Saturdays begin to get re-booked on Wednesdays, as others begin to move their dates. So I was lucky and got an emptied date on Saturday at 8.6. at 8:00.

I prepared everything in my office the day before. I set up a NB with a camera that has recorded the whole office. Desktop PC on which I run VMs with Kali Linux. I got my lunch and snacks packed. And I packed my sleeping bag if things got worse and I had to sleep in the office. 😊 But I still thought I’d blow the test in 6-8 hours.

Exam day

Mild nervousness played its role and I didn’t sleep very well. However, I woke at 6 am, had breakfast, washed and got to work. I arrived at about 7.20. I tested everything, prepared it, and waited for a connection with the proctor (supervisor). He checked my identity, the room in which I would work (via the webcam), the virtual, and allowed me to access the lab.

I was at the start at 8:15 and ready to pass the test. Perhaps I will not disclose anything secret when I write that I have received a total of 5 targets. First, I started enumerating the servers (what’s running on them, what systems there are, etc.). I have to say that OS (Offensive Security) guys don’t really make it easy – things just don’t go as smoothly as you’d expect. 😊 I have focused on the first server and broke it completely at 11:32. The server took me about 3 hours, which was longer than I have expected. If I could break the other servers at this speed, I’d finish sometime before midnight.

Unfortunately, it had gone seriously wrong since then. It was 4:40 PM and I was spinning between 3 servers since my first success. I had a rough idea of what to do, but I was stuck with something at each and every one. I always worked on 1 server for an hour and when I couldn´t move, I would move to the next. Again and again.

I have decided to take a break. I took a snack and went to the park for a while. My eyes hurt from the monitor anyway (you can pause freely during the exam). I have resigned that I would not pass the exam today. However, I still wanted to break as many servers as possible in case I get the same/similar servers the next time.

However, after returning from a break, I managed to break through. I figured out what I had overlooked before and got a step further. From that point on, I knew exactly what to do. And the server got hacked within an hour. I had 2 out of 5 servers at 6:19 pm.

I decided to take another quick break – it was necessary to refill the caffeine. But before I left, I tried some other server ideas. Bingo again, I managed to move a little further. Exactly the piece I needed to get to the familiar path. With a smile and a better mood, I jumped for a coffee. Energy and mood began to come back, and I have got to believe that today would not be wasted. 😊

Back in the office, I went to the 3rd server and at 8:07 pm, I gave it a checkmate. There were only 2 servers left, and I was just below the 70 points. I needed to break at least 1 other server. There were still 12 hours left until the end of the test, but it was clear that fatigue would come with the coming night, and the perception would dull.

I have started to work on the server I hadn’t touched before. I kept it deliberately last, as I believed that I would definitely break it (the assignment here is a little bit more specific than others). It was a piece of cake and at 9:27 pm, the server was hacked.

I still had 1 server left, but I already knew I had 90 out of 100 points, which was enough for me to succeed. Professional honor, however, led me to beat all of the servers! I have devoted 3 more hours to the remaining server. Unfortunately, I was constantly spinning circles.

At 0:20 in the morning, after 16 hours of intense concentration, fatigue has conquered honor and ego. I drove home to sleep. Paradoxically, I broke everything, except for the easiest of servers (according to the assigned points), to which I devoted 6 hours of work in total. I was most likely “overcomplicating” the server and hacking could have been simple, but that is life.

I created a penetration report on Sunday. For me, this is rather a fun part. I sent the report and looked forward to the test result.

Exam tips

Useful observations for the exam:

• Keep things organized: As I became nervous in the afternoon and was skipping targets, I have stopped being organized and lost a lot of time. I forgot what I have tried against and against which servers, as well as what tests I have run. So I did some things several times. And that cost me unnecessary time and energy.
• Extra points: You will get 5 extra points if you prepare a report from the lab (all exercises from the textbooks + 10 broken servers). I didn’t use it because I don’t like to write the reports and I felt confident doing the exam. 😊 However, these points can seriously help with the exam (spoiler 😉).
• Success: If you fail, don’t cry over it. As I have read the experiences of others, this is a very common thing. Some have passed the test on 5th or 7th attempt. Much depends on luck – you can easily overlook something and lose X hours in a dead end.

Conclusion

Talking for myself, both the course and the exam are amazing. I recommend them to any computer security enthusiast. Finding those 140 hours wasn’t easy (the more I admire people who are studying and working), but it was worth it.

If you would like to try something similar to OSCP, I can recommend it „Hack The Box“ or „Vulnhub“. These are free services at a similar level (many OSCP students combine it).

Alternatively, I recommend reading the experience of others, for example:

• https://medium.com/@m4lv0id/and-i-did-oscp-589babbfea19
• https://medium.com/@falconspy/oscp-exam-attempt-1-1893df5a0a00 (finally passed on 3rd attempt)
• https://zineausa.com/blog/2019/01/offensive-security-certified-professional-oscp-certification/
• https://h4ck.co/oscp-journey-pwk-course-review/ (2nd attempts)
• https://0xdarkvortex.dev/index.php/2018/04/17/31-days-of-oscp-experience/ (finished the exam in 6 hours)

If you are interested in the exam, please share your comment. I will be happy if you share your opinion on certification in general (I am interested in this topic).