Guide to cracking the OSCP Certification
This blog has now moved to: https://theaveragenz.com/cracking-the-oscp-certification/
I recently earned the OSCP Certification in the first exam attempt! I decided to share my experience with you guys, hoping to make your path to OSCP easier!
In this guide, I’ve described my experience, and strategy used to manage the OSCP material along with my Undergrad Studies.
I’ll soon publish another blog with the details of how I tackled the lab machines and the exam, with a technical standpoint.
What is OSCP?
OSCP is the most well-recognized and respected certification for info security professionals
If you want to prove your Penetration Testing skills, OSCP is the certification for you! It is probably the only hands-on certification that tests your skills in a live virtual environment.
To achieve the OSCP certification, one must pass the 24 hour exam, and complete the PWK course.
The PWK course includes a set of videos, a PDF Course Guide and an access to a virtual private network with machines to be rooted!
Before the OSCP
Due to the complexity of the certification, it is advised that you have some prior experience in this field. I have been playing CTFs ( Team d4rkc0de: https://ctftime.org/team/15154) for over 3 years now; this gave me an overall view of this field. And with a good hold on Python, C and Shell script, I was all set for the labs!
A better practice would be to try out some machines from HackTheBox and VulnHub. A few of their boxes are quite similar to the OSCP ones. I had tried a couple of boxes from HTB, and the Kioptrix series from VulnHub. They seemed to have given me an introduction to what OSCP boxes would be like, and that was needed, as I had never moved past the “CTF Environment”. Here’s a curated list of the VulnHub boxes you can try: https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms
Make sure you have the PWK Kali VM set up before you start with the labs. I setup my terminal with Oh My Zsh, added aliases that I used the most, and made some minor theme related tweaks.
Also, you must register about 2 weeks prior to when you plan to start the OSCP Labs. I learnt that the hard way.
The labs
I signed up for the 2 month labs, and they commenced on 13th Jan, 2019 at 5:30AM IST. As I was really excited, I woke up at 6AM, without the alarm ringing (which I never would have done otherwise), freshened up in a hurry, and put the study material to download.
I started off with the videos, and managed to complete them by the next day (yes, I watch videos at >2x). I was aware of most of the material, so I moved through the videos quite swiftly. It was just the buffer overflow part that was slightly new to me; so I decided to cover that properly by practicing on some vulnerable application.
I then jumped onto the labs, and decided to go in order. It took me 3 days to get a root on the first box, that was when I lost all hope, but then again, that’s what Offsec teaches us, to Try Harder!
Before moving onto the next machine, I read a ton of blogs to know more about how to tackle these labs. In the meantime, I was also completing some of the exercises in the Course Manual, as I wanted those 5 extra points :). Each point counts!
After a couple days of doing assignments, I got back to the labs. I cracked 2 more boxes in the next 3 days; progress! I used metasploit for both these machines as I was still not confident enough, but, the roots still count!
In about 20 days, I owned 11 machines. I was pretty happy with my progress. I made sure I was documenting all the steps so I could refer to them later for revision purposes, and also for the extra 5 points :)
At this point, I decided to organize things out to get some pressure off my head. So I made a detailed Google Calendar “time table” and decided to follow it religiously.
This is what my “normal” week looked like. Yep, living through it was as painful as it looks.
I followed this schedule till my exams came about. I had to significantly reduce the time I spent on the labs, and I was really scared about it. I tried my best to fit in a couple of hours before bed, and cover up on the time lost by not sleeping as much. I was sleeping about 3–4 hours per day during this painful time.
At the end of my exams, I had a little less than 30 days of lab time remaining and I was just 16 machines in. With some “quick math” I deduced that if I continue at a similar pace, I would own only 32 machines by the end. With this in mind, I was really motivated for the next 4 days; and rooted 12 boxes!
My hopes climbed back up, I felt that I would be able to root at-least 40 boxes with this pace. But then, assignment deadlines started to pile up; I had no other choice than to spend time doing them.
After a few days of doing assignments, I figured that I wouldn’t be able to handle both my academics, and the labs; as the assignments would keep coming :(
I went on to find some groups where I could get small nudges to speed up the time I took for each box. And during this journey, I made a new friend who turned out to be a really great study partner (Rohan Chavan). Trust me on this, a good study partner will always be helpful. You will always be motivated to push yourself beyond your limits.
I gained pace as we started doing some boxes together. With around 20 days left, I decided that we should own the “must do” “hard” boxes (pain, sufferance, Humble, gh0st, fc4, gamma). It took us about a little more than a week to get past all these boxes. I would never forget that week; the amount of learning we had was just insane. Make sure if you’re low on time, root these boxes before the others, you’ll have a lot of fun!
With a little less than 10 days remaining, I had owned 34 machines. I decided to take my mind off of the machines for a while, and began to complete the exercises to get the 5 bonus points. I was a little late to begin the exercises, so I sat down for literally 2 straight days, and completed all the exercises. The next day, I covered up for my lost sleep. It was worth it!
While doing the exercises, I realized that the best practice for Buffer Overflows were the exercises given in the manual. So make sure that even if you don’t plan on doing all the exercises for the 5 bonus points, you practice the buffer overflow ones.
At this point, I curated a list of the remaining machines, and went over to the forum to find out the ones that were comparatively easier. Over the course of the next 3 days, I was able to root 5 more machines, putting me at a total of 39 boxes.
I tried a couple more machines, but I was worn out; I hadn’t had enough sleep in the last few days, and had gotten a little sick. So I decided to use the remaining time to fine tune my Lab Reports and the Exercises. I also booked my exam for the 17th March, 2019 at 12:30PM IST.
I was pretty happy that I almost hit the 40 mark. The effort I put during these two months was definitely something didn’t think was possible, especially with exams and assignments up my neck. At the end, I did try harder!
The Exam
As I lived in the college hostel, I had to manage everything on my own. So my parents decided to call me back home for the exam. And I am glad that they did! I didn’t have to worry about anything at home!
The night before the exam, I wasn’t able to sleep due to the anxiety. This kind of set me back the next day. So make sure you are sleep deprived the night before your exam, so you have no other choice than to sleep tight!
On the day of the exam, I woke up around an hour before the exam (10AM GST), took a quick shower, had a nice and heavy breakfast and set my desk up with all the IDs and some physical notes that I had prepared.
I was all set by 10:35AM. I was waiting for the proctors mail so I could proceed with the exam. Upon the receipt of the mail, I immediately followed the instructions and set up screen connect and the webcam as required. Then came the ID verification part, which wasted a lot of my time and thus, tensed me up. Somehow the 720p image feed from the webcam wasn’t clear enough for them to verify my ID. But everything worked out in the end.
I began the exam at 11:10AM GST (10 minutes late). I glimpsed through the IPs and decided what order to tackle the boxes in. I decided to work on the 20 points machine first. I enumerated it, and got a command execution within the first hour, but wasn’t able to convert that to a reverse shell right then and there. With almost 2 hours of debugging my injected payload (and a ton of breaks), I finally got a connect back with a low privilege shell! The privilege escalation took me a couple of minutes!
I then made sure I had enough screenshots and notes to write a detailed report for this machine. It was then that my VPN had stopped responding I thought it was something on my end, but it wasn’t. On speaking with the proctor, I was told that they were aware of this issue, so I took a 30 minute break to nap. The VPN was still not responding. I mailed the Offsec support, and found out that they were looking into the issue. I basically had nothing to do for about 1 hour 30 minutes. To compensate for the lost time, I sent out a mail to the Offsec support about the issue; they responded within the next hour, giving me an extension of 1 hour 30 minutes.
To get back on track, I decided to crack the 10 point machine. It was indeed worth 10 points, I was done with the machine in an hour!
I was now 30 points in, with only 4 hours into the exam (excluding the time lost in VPN issues). I decided to pop the buffer overflow box (probably the easiest 25 points in the exam), which took me a little over 2 hours to complete because of the screenshots I had to take on each step, and the executable had a ton of bad characters (that I was scanning for manually).
I now had 55 points in my bag, and 18 hours remaining! So I took a 30 minute break to clear things off my head and started afresh. I started working on the second 20 point machine. There was a lot to enumerate. After about 1 hour of enumeration, I got a low-privilege shell in the next 30 minutes. I was now on the verge of the “70 point mark”. I started exploring any possible misconfigurations in the machine, and found something fishy. I had fallen into a rabbit hole, and I didn’t know about it. After banging my head for an hour, I decided to take a break. I was back in 15 minutes, and I fired open the g0tmilk privilege escalation “cheat-sheet” and made sure I had enumerated everything. Turns out, I had missed out! I found the misconfigured service within 10 minutes, and found an exploit for it. I edited the exploit to give me a command execution as root, and immediately spawned a reverse shell to give me root!
With around 14 hours remaining, I already had enough points to pass! After about 5 minutes of celebrations, I got back on track. Before proceeding to the last box, I decided to compile my notes, and organize all the screenshots taken. After 3 hours of effort, I had a decent looking report with a ton of backups. It was time to begin the last machine.
After enumerating the services for an hour, I was pretty worked up (as I hadn’t slept enough the last night). I made sure I had all the screenshots needed, and went through the dummy report around 3–4 times to make sure I had covered everything. After I was done verifying, I asked the proctor to terminate my VPN connection. And that was it!
After a peaceful sleep, I worked on the final report for a couple of hours, and uploaded it along with my exercise and lab solutions!
At this point, every notification scared the hell out of me. Finally, on 23rd March, I woke up to a new mail! I ran around the house ‘howling’ at the top of my voice, haha!
I can officially say, I Tried Harder!
