My Journey to being an OSCP
I started setting OSCP as a goal back in 2018 when I decided to shift my focus on security testing. As I am a person who often jumps into rabbit holes and to never ending research on what certification would be the best in terms of practicality and budget, I stumbled upon the Offensive Security Certified Professional(OSCP) certification. From then on, I decided that I will achieve that certification someday, but before I was able to get my OSCP, I was able to get some experience by getting CEH(P), HTB’ Offshore Lab, and Pentester Academy’s CRTP.
What is the OSCP?
OSCP is a certification handed out by Offensive Security, an infosec training and penetration testing company. The OSCP is famous in the industry, as it is one of the very few certifications where the exam is completely hands-on. The exam period is around 24 hours(23 and 45 minutes to be exact) where you will hack into 5 machines within that time frame. The exam is proctored and you are required to keep your cameras on for the whole duration of the exam.
I started my journey for the OSCP after learning that boot2root machines are a good way to practice, I started my journey by solving them and then documenting them through write ups. I first published my first solved boot2root here, through Medium. That day also, October 4, is when I solved my first Hack the Box machine, which was Jerry.
I spent most of my time in Hack the Box, and have meet people who have helped me tremendously not just through nudges and hints, but also their stories and experiences and opinion on how practical this certain vulnerability would be. I then started making write ups of machines I was able to solve in HTB here in Medium.
Before I started the OSCP, I was running at 75 solves from Hack the Box. This preparation gave me tons of exposure on techniques and procedures that have really become helpful on the labs. I also spent a lot of time watching Ippsec’s videos and reading 0xdf’s write ups every week(even the ones dated years back). For me, it was very useful and beneficial to compare their write ups and how they approached things, as it gave me at the very least “2” ways to approach something. This gave tremendous learning every week, accompany that with solving machines myself. I started solving boxes and watching how they solved it, and comparing how my approach. This helped me understand things that I have missed and why I missed them, also gave me an idea why I over complicated things or simply did not understood why that or this thing worked.
Before I started the OSCP, I can confidently say that there are times when Ippsec solved it exactly the way I approached it, might be because there is only one path, but it also proves that somehow my methodology was getting better. I also started my Masters degree in Information Security before my PWK lab access, hence the schedule was difficult and I barely had time for myself. My day was work on the morning until late afternoon, attend class until 8pm or 9pm, then work on the labs until 12 or 1am. I am thankful I was able to do this for more than a month, thanks to the support of my loved ones and friends.
PWK Lab and OSCP Exam Experience
I had 60 days of lab time, but I took the exam around 35 days of lab time. I was able to solve 45 boxes from the lab back then, and was able to spend time on the “internal” networks of the OSCP. What made the PWK lab stand out from the boot2root platforms is the machines have dependencies from other machines in the lab. This gave the feeling of actually working on a penetration test where you have to take good notes and have thorough enumeration. If you have no experience on other lab environments, practice a lot on these labs. I enjoyed the labs and there were things I learned that was not able to learn from anywhere else.
For me, the things you should be able to practice in the labs are the following:
- Buffer Overflow — the material and lab machines are sufficient for this. You do not need to work on other machines that are related to the OSCP buffer overflow, but they are still good practice. Its a simple 32-bit Windows Buffer Overflow.
- Lateral Movement and Tunneling — albeit not included in the exam, it is important to be able to practice this in a structured lab environment, as this happens often during penetration tests. Though, I had good practice of this topic from HTB, Offshore, and CRTP already.
- Active Directory — there are certain machines that simulates an Active Directory environment. If you have not passed the CRTP(Certified Red Team Professional) or completed HTB’s Offshore Pro lab(which I both did prior to HTB), this is mandatory. But if you’ve done CRTP(even without HTB Offshore), this is not needed, as the material for that covers what’s in the PWK, almost.
- Client-side attacks — there are certain machines that are vulnerable to this. Work on them as they are important for further Offensive Security courses(WEB-300, PEN-300).
Since my lab time was schedule by the end of the year, I decided to book my exam the best time possible so I can spend the holidays without thinking of the OSCP exam. I booked my exam on December 9 at 5pm. I will not disclose the details of the exam, but here are my general impressions and tips for those who are planning to take it in the future:
- Make sure your methodology is solid. Check on all ports. Check them manually too using netcat or telnet.
- Know when to stop poking on a service or a port.
- Learn how to take good notes. Take note of the commands and exploits that worked, so you can just copy paste them if ever you need to work on it again.
- The exam is not a CTF, meaning you do not have to find something very obscure. Enumeration is really important.
- Do not over complicate things.
- Learn to take good screenshots, which is not only important in the exam report, but also is very important when you do actual penetration test work.
- If you are on Reddit, join https://www.reddit.com/r/oscp/ and other infosec related subreddits.
- READ THE EXAM AND REPORTING GUIDE BY OFFSEC. EVERYTHING YOU NEED IS THERE.
This will be the meat of this story. Here are the things you should look into in preparation for the OSCP. This is not an exhaustive list of all the things I reference to, but could be a start for you:
- Buffer Overflow — If you understood the materials already, allot time to practice the flow using Tiberius’ TryHackMe room: https://tryhackme.com/room/bufferoverflowprep.
- SANS Cheatsheets
- Watch Ippsec’s OSCP prep playlist: https://youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf
- Read 0xdf’s blog posts and compare how you solved the machine, same with how Ippsec solved it
- Read blogs and spend time really solving machines.
- OSCP is a hands-on exam, your conceptual knowledge may be helpful, but it won’t be enough for the exam. For example, rather than knowing how a LFI(local file inclusion) works, you should be confident in finding which files to look for if you have LFI and what information you can get from those files to aid you in exploitation later on.
After waiting for almost a day and a half, I got the results stating that I passed the OSCP.
Hope this becomes helpful in your journey in earning your OSCP. I would like to thank my friends and colleagues who pushed me to be a much better infosec professional. Happy that I’m around people who push hard to be better and actually have goals in their lives and make an impact in security.