Site icon Martin Haller, A blog about corporate IT protection and management

OSCP: Offensive Security Certified Professional

OSCP

OSCP

Last weekend (June 8, 2019) I successfully completed my path to OSCP (Offensive Security Certified Professional) certification. It was a challenge and the funniest certification I had done so far. I’d like to share this hacking experience with you.

I first mentioned this certification in a blog in April 2018 (in the article How to Hack a Computer in Seconds). At that time, however, I had no idea that there would be more than a year-long journey towards it.

There was still a lot of work to do in 2018 – we moved the company forwards, took on new colleagues, changed processes and I was getting certified CHFI (Computer Hacking Forensic Investigator). So I didn’t get to OSCP at all. It wasn’t until December that I have decided to get a fixed date, otherwise I would never get that certification. So I gifted the certification myself for Christmas, as to start with it on the first January weekend.

What is OSCP certification about?

OSCP is a certification from Offensive Security (creator of Kali Linux), proving that its bearer understands computer security (the technical aspects) and can hack whatever. 🙂 Practical emphasis makes this certification exceptional. The test itself does not include a theoretical test. Instead, you get 24 hours and VPN access to a foreign network where you hack the servers within it. In the end, you will write a report. In fact, a real penetration test.

Everyone who decides to pass the exam must go through a preparatory online course called „Penetration Testing with Kali Linux (PwK)“. It also includes a free exam attempt. This preparatory course is also primarily practical. You get VPN access to a virtual network where over 50 servers are waiting for you, and your goal is to hack as many as possible. 😊

The course also includes PDF textbooks (almost 400 pages) and demonstration videos. Textbooks are rather an introduction to the issue. You are expected to find out more on the Internet for more information.

The price of the course depends on how long you want to have access to the virtual lab. I knew there would be a problem with time, so I paid for 90 days (priced roughly at 26.000 Kč). This is not a negligible amount, but EC-Council training/certification is priced significantly higher.

In my opinion, certification is recognized in both the commercial and security communities, as it cannot be acquired simply by learning slides or test questions. I have tried to find out how many people had already obtained it, but I didn’t find the official number. Since my serial ID was about 44,000, I guess there are about 20,000 OSCP holders in the world (those who have done other Offensive Security certifications and those who have not passed the exam have to be deducted).

Figure 1: Lab network map

 

What knowledge did I start with

IT is my passion, so I’m always digging into something. For the past few years, I’ve spent most of my time on safety because I care about making our customers secure. I realize the responsibility and consequences of my work on our customers, their owners and employees. So I felt quite confident that I should be able to handle the OSCP.

At the same time, I have already had the following computer security certifications (and I believe that the corresponding knowledge and experience):

„Penetration Testing with Kali Linux“ preparatory course

I started with textbooks, it took me about 2 days. Half of the textbooks is about “buffer overflow” and exploit anatomy. I read a great book about this about 10 years ago „Hacking – the art of exploitation “ so it was rather a refresh.

Then I finally went into the lab, which I have enjoyed most of the course. You connect to it through a VPN from a virtual PC (part of the course is a Kali Linux image for VMware Player, which you run on your PC / NB).

Basic course info

What I liked about the course

The Lab has some unique features that bring it closer to real corporate networks:

Lab tips

How did I do in the lab?

Unfortunately, I couldn’t handle the whole lab in 90 days. As always, a lot of new work has appeared and I have traveled for a month (Cuba and the USA this time). So I have extended the Lab for another 90 days. Finally, I have managed to finish the lab (break all servers) in 5 months. I worked mainly on weekends (regular working Sunday) and holidays (especially April/May was great). Overall, the lab took about 140 hours.

I have to admit that sometimes, I have used the forum to solve the lab. Sometimes I wasn’t sure of the attack/escalation vector permissions. And rather than losing hours of time (which is the most precious for me now) with blind paths, I have looked around for help. Help is only indirect. Specific instructions/steps are not there – it is forbidden to share them at the forum, which is censored.

Final OSCP exam

The final exam is purely practical. No theoretical questions. It takes 24 hours, you can use any open book, do it from your home/office and is supervised (someone monitors you through the webcam and records the whole screen). After completing the exam, you must write a penetration report within 24 hours and send it to Offensive Security (it’s part of the exam evaluation). More information at Offensive Security FAQ and OSCP Exam Guide.

You will get VPN access to a new lab (which is just for you) at the start of the exam and the addresses of your targets. Each target is scored. The maximum number of points is 100 and the threshold for passing is 70 points. Then you have 23 hours and 45 minutes to break them. When I first heard about the length of the test, I laughed at it. I was used to exams of max 2 hours and always ended earlier.

You can book your exam date online and move it up to 3 times. The weekend is the calmest, so I´ve booked my exam on Saturday with the report writing to be done on Sunday. Looking into the reservation system, I found that the weekends were booked for weeks in advance. Fortunately, it usually happens that Saturdays begin to get re-booked on Wednesdays, as others begin to move their dates. So I was lucky and got an emptied date on Saturday at 8.6. at 8:00.

I prepared everything in my office the day before. I set up a NB with a camera that has recorded the whole office. Desktop PC on which I run VMs with Kali Linux. I got my lunch and snacks packed. And I packed my sleeping bag if things got worse and I had to sleep in the office. 😊 But I still thought I’d blow the test in 6-8 hours.

Exam day

Mild nervousness played its role and I didn’t sleep very well. However, I woke at 6 am, had breakfast, washed and got to work. I arrived at about 7.20. I tested everything, prepared it, and waited for a connection with the proctor (supervisor). He checked my identity, the room in which I would work (via the webcam), the virtual, and allowed me to access the lab.

I was at the start at 8:15 and ready to pass the test. Perhaps I will not disclose anything secret when I write that I have received a total of 5 targets. First, I started enumerating the servers (what’s running on them, what systems there are, etc.). I have to say that OS (Offensive Security) guys don’t really make it easy – things just don’t go as smoothly as you’d expect. 😊 I have focused on the first server and broke it completely at 11:32. The server took me about 3 hours, which was longer than I have expected. If I could break the other servers at this speed, I’d finish sometime before midnight.

Unfortunately, it had gone seriously wrong since then. It was 4:40 PM and I was spinning between 3 servers since my first success. I had a rough idea of what to do, but I was stuck with something at each and every one. I always worked on 1 server for an hour and when I couldn´t move, I would move to the next. Again and again.

I have decided to take a break. I took a snack and went to the park for a while. My eyes hurt from the monitor anyway (you can pause freely during the exam). I have resigned that I would not pass the exam today. However, I still wanted to break as many servers as possible in case I get the same/similar servers the next time.

However, after returning from a break, I managed to break through. I figured out what I had overlooked before and got a step further. From that point on, I knew exactly what to do. And the server got hacked within an hour. I had 2 out of 5 servers at 6:19 pm.

I decided to take another quick break – it was necessary to refill the caffeine. But before I left, I tried some other server ideas. Bingo again, I managed to move a little further. Exactly the piece I needed to get to the familiar path. With a smile and a better mood, I jumped for a coffee. Energy and mood began to come back, and I have got to believe that today would not be wasted. 😊

Back in the office, I went to the 3rd server and at 8:07 pm, I gave it a checkmate. There were only 2 servers left, and I was just below the 70 points. I needed to break at least 1 other server. There were still 12 hours left until the end of the test, but it was clear that fatigue would come with the coming night, and the perception would dull.

I have started to work on the server I hadn’t touched before. I kept it deliberately last, as I believed that I would definitely break it (the assignment here is a little bit more specific than others). It was a piece of cake and at 9:27 pm, the server was hacked.

I still had 1 server left, but I already knew I had 90 out of 100 points, which was enough for me to succeed. Professional honor, however, led me to beat all of the servers! I have devoted 3 more hours to the remaining server. Unfortunately, I was constantly spinning circles.

At 0:20 in the morning, after 16 hours of intense concentration, fatigue has conquered honor and ego. I drove home to sleep. Paradoxically, I broke everything, except for the easiest of servers (according to the assigned points), to which I devoted 6 hours of work in total. I was most likely “overcomplicating” the server and hacking could have been simple, but that is life.

I created a penetration report on Sunday. For me, this is rather a fun part. I sent the report and looked forward to the test result.

Exam tips

Useful observations for the exam:

Conclusion

Talking for myself, both the course and the exam are amazing. I recommend them to any computer security enthusiast. Finding those 140 hours wasn’t easy (the more I admire people who are studying and working), but it was worth it.

If you would like to try something similar to OSCP, I can recommend it „Hack The Box“ or „Vulnhub“. These are free services at a similar level (many OSCP students combine it).

Alternatively, I recommend reading the experience of others, for example:

If you are interested in the exam, please share your comment. I will be happy if you share your opinion on certification in general (I am interested in this topic).

Do you like topics, I write about?

It is not necessary to periodically visit my blog to check if there is a new article. Subscribe below for notifications. You will be the first one who will know about new article.

Exit mobile version