Achieving OSCP – My secret sauce

I completed my Offensive Security Certified Professional (OSCP) certification earlier this week and lot of people have since requested me to do a write-up of my experience. Now there are already tons of helpful reviews containing details about how to prepare, what to read, exam experiences etc. So, while I will briefly cover these aspects I will also include my thoughts on below couple of questions which I believe would be of interest to people who may be contemplating taking up OSCP.

  • Is this certification for me as I’m not much into technical aspects?
  • Is this certification for me at the current stage of my career given my personal / professional situation?

Both these questions are difficult to answer and there are no right or wrong responses. All of us are unique and what may work for someone may not necessarily work for others. I will however highlight my thought process and how I was able to come up with a solution which worked for me.

Stage 1 – The background
I have been in the Cyber / InfoSec industry for 12+ years and started my career as a pen-tester. Few years later I moved away from pen-testing and got involved with other aspects of information security like audits, compliance, reviews etc. While I enjoyed everything I did, at some point without me even realizing the learning stopped and I was basically repeatedly doing things which I knew well. Make no mistake I am really good at what I do, probably even too good (shameless self-promotion 😀 ) but I still felt that there was a void.

So to counter it, I decided to pursue some certification / educational course which would increase my knowledge and get me going again. A good friend recommended OSCP. I had heard of it before but never quite looked it up. As soon as I did, I was sold on it!!!!

Stage 2 – All or nothing
I signed up for the certification and started around mid Feb 2017. I initially signed up for 2 months (should have done 3) thinking that this is neither too aggressive nor easy going. Due to my professional commitments, I ended up not utilizing around 1 month (bad planning) and was quite dissatisfied with my overall progress. I hadn’t even been able to complete the video tutorials and barely even touched any of the lab machines. The only positive was that I was documenting the course exercises along with the tutorials (good decision). So, I took my family into confidence, worked out my financial situation and quit my job to focus completely on this!!!

Stage 3 – This is it
Now that I had free time, I could dedicate myself completely towards studying for OSCP. I extended by a month, completed the video tutorials and got into the labs. The initial progress was slow but I was determined. At the end of my 3rd month, I had completed around 30 lab machines. I knew I still wasn’t ready for the exam and needed another extension but ended up taking the exam just to get the experience. I used all 24 hours, with some breaks and missed passing according to my calculations by a small margin. A day later I was all energized and back in the labs with a 15 days extension. Over the next 2 weeks, I accessed all the networks and had root access on all the 50+ machines. I felt I was ready this time and took my 2nd attempt.

Stage 4 – One step forward two steps back
The 2nd attempt was nothing short of a disaster. I didn’t sleep well the previous night, panicked at the start, all my planning went out of the window, had tunnel vision and wasted too much time. It was so bad that I did not even bother to submit a report. I anyways knew that I had failed. To say that I was disappointed was an under-statement. It took me 3 days to get over the feeling and re-focus on what needed to be done. I knew what my weaknesses were; privilege escalation, time management and speed. My challenge was not that I didn’t know how to solve but the time I was taking to do it. That’s what got me on my 2nd attempt. I decided not to extend my lab time but focus on VM’s from Vulnhub. I put together a formal plan, did 20+ VM’s targeting at least 3 everyday (within a 10-hour window) with documentation. I reorganized my scripts, folder structures, pre-compiled few common exploits and decided to spend maximum 2.5 hours per machine at a stretch during the exam. Basically, I did everything that would help me save time and not get side tracked.

Stage 5 – The final frontier
My last attempt started smooth. I started at 2:30 pm in the afternoon and within the first 7 hours, I had rooted 3 machines. I then decided to take a break and went off to sleep for few hours. I started on the 4th machine but did not make much progress. I had another 9 hours left and decided to shift to the final machine. Some progress but no shell. I kept going back and forth between the 2 machines. The hours ticked by and I wasn’t getting anywhere and the familiar panic feeling was beginning to appear again. 4 hours to go and I had a breakthrough. Basically, the answer had been staring at me since many hours, just that I couldn’t see it. In 10 mins, I had a non-administrative shell. Again, privilege escalation was being elusive and I was losing time. So, I decided to focus back on the machine on which I had got nothing. If I could get at least a shell, I would probably pass. But that wasn’t enough and I wanted it to be certain. And then the big breakthrough. Basically, the answer was the very first thing I had tried on the machine but I had overlooked a minor detail. 5 mins later I had limited shell. Another 20 mins later I had root shell. Hell yeah!!!!!

I quickly checked all my documentation and exam requirements and logged off from the VPN although there were another 30 mins to go. I was simply too exhausted to continue. 4 hours later I started putting together my report which took around 5 hours to complete. I already had the template ready, just needed to enter the details. A little over 24 hours later, I received the email which I had been working towards for 5 months. The feeling…can’t describe it!!!!

Now that it was done, I believe I can answer the 2 questions which I mentioned earlier.

  • I am a security professional but not so much into technical aspects, is it for me?

Absolutely resoundingly yes. Even if you haven’t done pen-tests ever before, maybe even never even touched a Linux system, there is nothing which can stop you assuming you are willing to put the effort. The effort of course will vary vastly and those who do this as part of their day jobs will have a much shorter learning curve but it doesn’t rule out anyone. So, what is the effort? Well the effort means that while you go through the provided material and exercises you will also be doing a lot of reading up on your own. You will spend endless hours in the labs and generally studying topics that are currently not your strengths. There will be moments of desperation, despair and frustration but you just need to believe in yourself and follow the “Try Harder” mantra.

  • Is this certification for me at the current stage of my career given my personal / professional situation?

It could very well be but you need to consider the following factors: family support, job commitments, financial situation (if you leave job)

First and foremost, get your family onboard with your plan. Explain to them what you intend to do and what it will take to do it. Remember it’s not just you but they as well who need to sacrifice (basically you won’t be spending much time with them). If you can’t convince them chances are you won’t succeed. If you have any holidays planned, then don’t signup right away and wait till you get back. The decision to quit job is not easy and needs to be very carefully thought through. If you are confident about your ability to get back a job when you need it either because of your skills or your network, only then think about leaving. The ideal situation would be to complete the certification along with the job. This I believe is very much feasible at entry level or if you are lucky to be doing pen-testing as part of the job. However, for lot of professionals especially mid and senior level, time is a luxury. The work environment today requires long working hours, late night / early morning meetings, constant deadlines, daily pressure situations and at times working over weekends all of which translates into less personal time. So, if you must take out time by pushing out meetings, delaying deliverables, then you are doing a disservice to your employer which I would strongly advise against. Also, if you have loans and EMI’s as a lot of professionals do, then ensure you have enough to last at least 6 months, maybe a year. The last thing you need is a financial crunch to derail your plan.

To summarize, if you genuinely can’t complete the certification along with your job, can get a job when you need and have enough financial strength then quitting your current job could be an option for you. Measure all the above factors against how badly you want to do OSCP and you will have your true answer!!

At the end, I would say that this has been a journey for me which I never thought I would end up going on but once started not once did I ever believe that I can’t do it and kept TRYING HARDER. Remember its not the end certification but the knowledge gained during the journey to achieve that certification which is most valuable!!!!

Few good resources that I would recommend

URL’s
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation
https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells
https://www.rebootuser.com/?page_id=1721#.V7zCFa1Bazs
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
http://www.fuzzysecurity.com/tutorials/16.html
https://www.toshellandback.com/2015/11/24/ms-priv-esc/

Vulnhub VM’s
Metasploitable 2, Kioptrix: Level 1, Kioptrix: Level 1.1, Kioptrix: Level 1.2, Kioptrix: Level 1.3, Holynix v1, Tr0ll 1, Tr0ll 2, SickOS 1, SickOS 2, VulnOS 1, VulnOS 2, Kioptrix: 2014, pWnOS:1, pWnOS:2, Mr-Robot: 1 , FristiLeaks: 1.3, Vulnix, SkyTower: 1, Droopy, Minotaur, Stapler: 1, Lord of the root

Leave a Reply

Your email address will not be published. Required fields are marked *