My OSCP Journey
My background
I have a B.S in Cyber Security and about 8 years in the Information Technology field. My work experience mostly includes System Administrator positions with some networking experience.
What is the OSCP?
The Offensive Security Certified Professional certification focuses on penetration testing. It is the lowest level penetration testing certification offered by OffSec, though I would not call it easy by any means. It is well respected in the Cyber Security community because it demonstrates that you have the technical knowledge to penetrate live machines in a lab environment. In addition to penetrating the live machines, the exam requires students to create a detailed report documenting their findings.
Goals
From the moment I first heard of the certification around 2020 I knew I wanted to achieve this certification, although at the time it seemed like an unsurmountable task as even the easiest machines on HackTheBox.com where incredibly challenging to me. Around this time I began to do research on the OSCP and figured it would be best to create a structured learning plan before even attempting to begin the course, which in hindsight was hugely beneficial to me. Keep in mind that your goals may need to be different based on the knowledge that you already have about topics such as networking. The goals I felt I needed to accomplish before joining the course are as follows:
- Learn Linux
Learning Linux was a very obvious first goal for me because most students choose to use penetration testing ready distros such as Kali Linux and ParrotOS. I had very little experience with Linux outside of basic commands used at my prior job. I thought it best to nuke windows on my personal laptop and install a Linux distribution to force me to learn and use the operating system on a daily basis. I did a ton of research mostly on reddit and YouTube which led me to choosing Manjaro with i3 as a window manager. Initially this was painful, I struggled to get basic things to work and was constantly on forums asking for assistance. This pain however did pay off as it saved me a ton of time when later moving on to using Kali Linux.
- Learn the tools of the trade
The next goal I had in mind was to get more hands on experience with some of the tools commonly used in penetration testing. Most importantly I learned a lot about Nmap and Wireshark. I installed Nmap on my laptop and began to conduct scans on my own network, as well as monitoring the scan traffic with Wireshark. During this time I realized that learning bash scripting would be hugely beneficial as it could help save time by filtering output and automating tasks. The basic learning I did here would prove instrumental in helping me to better enumerate machines.
- Learn the process
I knew that I needed a structured way to conduct a penetration test. I borrowed knowledge from a previous certification I achieved (CEH) and used the framework learned in this course which is as follows:
— Reconnaissance
— Scanning
— Vulnerability Assessment
— Exploitation
— Reporting
I learned as much as I could about each topic and ended up using it as a structure for my final OSCP report
- Learn to report/take notes
Because the OSCP requires a report to ultimately achieve the certification, I knew that it would be best to start early as it would be devastating to pass the exam only to fail due to a bad report. During this time I discovered Obsidian, a mark down tool that made it easy to take notes and sync them to the various devices I own. I used Obsidian to create a framework for each machine I would complete based on the framework I had above. This included sections for my nmap scans and other findings. I cannot stress how useful this was to me, documenting early saved me time in the future as I often discovered that things I learned in the past applied to machines I would later tackle in the labs.
- Get hands on
Ultimately the OSCP requires the student to penetrate machines, so I knew it would be beneficial to have some machines already completed prior to starting the course. Here I discovered various online learning platforms that were (at the time) more beginner friendly than HackTheBox. The main platform I would end up using to get hands on experience was TryHackMe.com. I wanted to feel comfortable completing easy machines, as well as practicing topics like the binary exploitation which at the time was still a part of the exam.
Learn one
In early 2022 I decided to purchase the Learn one subscription. The Learn One subscription gives students 1 year of access to the Pen-200 course as well as two exam attempts. I felt that I had sufficient background knowledge and felt confident moving forward. It was about a month later that that confidence would be shaken slightly. The OSCP exam was going through a major change, Active Directory had now been added to the exam and students would now be required to conduct a penetration test on a small Active Directory network. I had prior experience with Active Directory as a Sys Admin but had zero confidence in enumerating much less attacking this directory service. The bonus point system however had also been revamped which made it much easier to achieve ten extra bonus points towards the exam. As a result of this I decided it was best to forgo the labs for now and focus on completing all the challenges on the newly created web portal submission system. I went through the entirety of the PDF, took notes and documented each challenge on obsidian. I did run into a ton of road blocks during this time and ended up joining the OffSec discord. The student mentors on this discord are a wealth of knowledge, they nudge students in the right direction without ever giving out answers. This helped give me confidence in each of the topics within the pen-200 course.
Labs
After completing 100% of the challenges I thought it best to begin the labs as the 10 extra bonus points were given if students successfully root 30 of the machines in the lab environment. It was here that my prior learning really paid off. I breezed through a ton of the machines in a short period of time. It wasn’t until I had about 15 machines rooted that I began to slow down as the machines became much more challenging. I learned that I would really need to step my game up when it came to enumeration. As I would often miss small details that would later prove instrumental in the successful exploitation of a machine. This led me to take even more thorough notes. I would use nmap2md to port my scans into a readable format in obsidian, and then write detailed descriptions of what I found on each port. This small change was what led me to enumerate better, as I would now be forced to better figure out why each port was opened, what it was doing and how it could be enumerated further. This changed my thinking and I began to think of each machine as a puzzle where each piece may have a connection to achieving the final goal of root. I ended up completing upwards of 80% of the lab machines which was more than sufficient to get the 10 extra bonus points for the exam.
Overcoming challenges
Despite completing a sufficient lab machines to get the bonus points, I did not think it would be sufficient as I felt I still needed more practice on two main topics, Active directory and Pivoting. It was around this time that I decided it was best to set-up my own vulnerable lab. I found a useful guide from The Cyber Mentor on how to build an active directory lab . I used this along with Hyper-V to create some of the common misconfigurations typically seen in Active Directory such as not requiring pre-authentication, weak and shared passwords and more. This allowed me better understand attacks like kerberoasting, asproasting, pass-the-hash and ticket based attacks. Had I not setup this lab myself I do not think I would have successfully penetrated the Active Directory network in the exam.
Pivoting was another area that worried me as I would often have trouble getting tools like impacket and nmap to work through pivots I created. I once again decided that it would be useful to create my own lab to allow practicing. I used the virtual switch functionality within Hyper-V to only make my virtual machines available to the host device, and on top of that I used nested virtualization to ensure I had to create a double pivot to reach the target device. It was useful to ensure that the hosts where of different operating systems so that I was forced to use different tools and techniques to create the pivots. This was another decision that really paid off and I would recommend setting something like this up if you are attempting the OSCP. I may later create a writeup on how I created this.
Exam Experience
I scheduled my exam to start at 8am on a Saturday morning. I had a simple game plan which began with immediately focusing my attention on the Active Directory network as with my 10 extra bonus points I would have 50 total points upon achieving Domain Admin. This meant I would only need 20 more points to get a pass. Since each flag outside of the Active Directory network was 10 points it meant that I had plenty of opportunities to get a pass with the standalone machines. About 3 hours in I had yet to even get one low level shell on the Active Directory network. It seemed impossible I looked back through my enumeration notes and was finding nothing that would get me any further. I felt defeated and decided to take a break. I went to get a nice lunch with my significant other and tried to push the exam out of my mind so as to have a fresh head when getting back into the exam. Upon returning I had a low level shell within the hour. I kept the momentum going and completed the Active Directory set about 6 hours into the exam. At this point I felt relieved I had 50 points and only needed two flags get the required 70 points. I started my enumeration scripts on the remaining 3 standalone devices and took a long break while the scans completed. Upon returning I reviewed the scan and tried to find the low hanging fruit. This paid off and I had a low level shell about an hour after returning and had a root shell not long after that. With that I had the required 70 points to pass the exam. I decided I should continue and attempt to root at least one more machine since I had the time and was having fun. It took me a long while but I got another flag. At this point I was exhausted and I decided my time was best spent in ensuring that I had documented everything thoroughly. I spent roughly 4 hours going back through each machine ensuring that each and every step in my notes were precise and could easily be recreated. After quadruple checking everything, I ended my exam and used the entirety of my Sunday creating a report based on my findings. About 7 days later I received an email stating I had passed.
Lessons learned
Throughout my OSCP journey I learned a great many hard lessons that in hindsight could have been avoided.
Writeups:
First and foremost, looking at writeups for (retired) machines is not necessarily a bad thing. I was of the opinion that looking at writeups when I was stuck was unacceptable and saw it as a form of cheating myself out of learning. This in my opinion affected my time management as I would often get stuck and refuse to move on despite wasting hours staring at a screen. I later decided that if I had done my due diligence by thoroughly enumerating and documenting all my findings and still found myself stuck, to lookup hints. I would never look at the entirety of the solution, I would pull up a writeup in a minimized window and scroll down to where I was stuck. If I saw that someone was using a tool or technique I had not seen before I would stop and try to use that myself to see if I could figure the rest out myself. I would however be careful not to overly rely on these writeups.
Overreliance on tools:
Another huge lesson for me was the use of automated tools. In the beginning I would use tools such as autorecon to automatically do enumeration for me, which is a huge time saver. The issue is that you may sometimes miss key details that would not have otherwise been missed had the enumeration been done manually. While studying for the OSCP I would abstain from over relying on these tools and focus on sharpening your manual enumeration skills. This is doubly true for privilege escalation, there are countless times that I would use a privilege escalation enumeration script for a windows machine that would sometimes miss very simple privilege escalation vectors that would have been obvious if done manually.
CTF’s:
Capture the flag challenges such as those on TryHackMe and HackTheBox are great learning resources for the OSCP as they present you with already vulnerable machines to attack. These are great and will help you achieve your certification. I however think it is infinitely more valuable to configure some of the vulnerabilities yourself. As I previously mentioned, late into my studies I began creating my own labs sometimes using guides to assist. This in my opinion helped me better learn more about how these vulnerabilities occur and as a result, how to best exploit them. If I could do it all over I would do much more of this.
Learning a programming language:
While you do not need to be a developer to take and pass the OSCP, it certainly helps to at least have an understanding of how programming languages work. You should at the very least be able to look at an exploit and be able to understand what is happening. Not having this understanding is dangerous as you can even be targeted by your lack of understanding. To highlight this on the 4th of July 2023 a POC for CVE-2023–35829 was released that if ran would steal data. This was highlighted on twitter by this post by @xnand_.
Some additional resources I used
Ippsec: YouTube channel and website
TJnull’s list: List of machines for OSCP
PortSwigger academy: Free web learning
TryHackMe: Free CTF’s
John Hammond: YouTube channel
The Cyber Mentor: YouTube channel
