OSCP PWK Experience

Intro



I have been looking at the Offensive Security OSCP for a while now and kept putting it off as I couldn't decide if I was ready for it. Late last year I decided that there were certain goals I needed to achieve in  the next 12 months so I started with CISSP and finished it in a few months.
Next was OSCP, I read every blog I could find on the Internet to better understand what to expect. From what I read... I was headed for a world of pain.


My Background

While I was preparing for the course, I was particularly looking at what experience people had when doing this course. This was a major issue for me as I did not have any Linux , programming or scripting experience. The only thing I knew in Linux was basic configuration items I had learnt managing Vmware Vpshere hosts.

My technical background is 10 years doing Professional Services in Network/Windows/Virtualization/Security/Routing/Switching/PCI-DSS compliance work. I have done the usual flavor of  Microsoft, Cisco and the other certifications. It was time for me to do something really interesting.

I was planning on doing some Linux / Python training before starting the course, in the end I decided screw it...I am just going to do it and if I need more time I'll extend the course.


The PWK Course

So I signed up for 3 month's lab time, I had some free time at work so decided I could squeeze in the course without any issues. I got my Kali VM ready, the lab materials all arrived quickly and it began.

The first month was brutal, everything was new to me and I was pretty much starting from scratch.
I was questioning myself...am I up for this, am I ready for this. I always had the IRC client running in the background and would see students working on interesting machines while I was trying to work out how to use nmap.

I decided I was going to get through this course and win, I started by giving it all the time I had available. It was 4-5 hours every night during the weekdays and all weekend on it, on my way to and from work I would be reading ebooks and such to understand what I was doing.

Research , read and then do more research!!

I have to add in , you need a very understanding family. My wife for a few months hardly spent any time with me, I would come home have dinner , do a few chores and be straight back on the computer. This went on for months. Towards the end of the course the comment was the Internet is being disconnected if I didn't finish soon. Without her support I would have never made it.

Eventually I got through all the course material and now had some understanding off what I was doing, time to begin with the labs.

From reading all the blogs, I had collected scripts and other helpful links. It began with mapping out the network. Be careful off the allowed range that has been allocated, as I got a warning email about scanning networks that were not in scope.

The labs started off with  few easy wins, point and shoot exploits bit off MS08-067, I used MSF first few times just to get a win and build up confidence. As I got through the machines, I would try and do manual exploit first when really stuck then I would fall back to MSF. I did as many manual exploits as I could. It helped me build my knowledge on understanding codes and making changes where needed, I learnt how to compile using Visual studio which was really helpful.

Then things started to slow down, it was taking me up to a week getting root on one or two machines. At this rate I thought to myself I'll be here for the next 6 months. But I kept on at it, fixing my scripts, working out where I was going wrong and trying to do things more efficiently . I decided to get full version off Burp which I found was very helpful. It would get very frustrating where I would spend days on something and no get anywhere. You just have keep trying again and again, sometimes the machine needs to be reverted. Sometimes it's just not your day, try the same thing on the next day and it just works.

Mid way through the course , Offsec decided to change rules. Under the new rules students on the Offsec channel were advised not to ask other students for help. This was a big deal as now if you are stuck, only way off getting help would be with the admins. For me without the IRC channel I would have never been able to finish the course. I met some really great guys on it who helped a lot, pushed me along and helped me achieve the end result.

As I went through the lab, I would document using Keepnote every step that was taken to exploit a machine. I would also document anything new I found so that I can reference it when needed. I also had a Tips page running, whenever a admin or student would drop a hint I would record it so when I got to that machine I had some notes on it.

The lab environment that Offsec provides caters for all levels of experience, you can be a newbie like me and start off with the easy ones or go straight for the harder ones like sufference and humble. There are multiple networks and as you find keys to access the network it really boosts your confidence to keep trying and reach the end. I had a counter at the top off how many machines done and how many left, it would change every time I got root on a machine. And I worked really hard to get the number down below 30.

For compiling windows exploit code, I ended up setting up Visual studio on a windows machine and using that to compile it. I had never used visual studio before but its all part of the learning experience.

Soon the 3 months came up and I had done only 25 machines which was not enough for me, my aim for the course was to learn as much as I could . The certification was not the end goal, so I decided to sign up for 2 more months. You always read about former students saying in the last month you achieve the most, I didn't get it until it happened to me.  In 3 weeks I went through another 24 machines , I finished Admin, IT networks and only had humble left in the public network. It was Christmas break so I had two weeks off and I gave it my all. Machines were just falling one after other , I had finally got into the rhythm. It was no longer shooting in the dark and hoping something happened, I was now enjoying the experience.

As I was wrapping up lab work , I decided to take an attempt at the exam. For me it was $60 and that was a cheap practice run. I have heard how bad the exam is so I thought lets do a practice run. Booked in the exam while I was still on break with a weeks notice and started my report.
My advice on the report is to start well in advance, it took me few days to get it ready and I didn't want to do it right after the exam. The report was fairly small of around 150 pages. I had all the lab machines in there plus the exercises from the course work. The report was with 49 lab machines ,all listed with the step by step process that was taken.


The Exam 

My Exam was booked in for 8PM AEST, and at 8PM sharp the lab guide arrived. My plan was to take it easy, do as much as I could and treat it as a challenge not an exam.
I got shell on two machines within 5 hours and was like not bad, my first machine was giving me lot off trouble. I knew I should have root but it wasn't working so decided to get some sleep. Was going to take a quick nap which went for 7 hours . The next morning I wasted a lot of time on the two machines and in the end I reverted it , then my exploits from previous night worked and root straight away. What a pain...I had wasted too much time on them. At the end off the exam I had 2 roots and some movement on the 3rd but no shell.

For $60 I thought it was a good deal, after the exam i submitted the report within a few hours. I knew I had 50 points and was short 20 so knew I was likely not to pass and I didn't.
I wasn't happy with my effort on the exam and wanted to make a better effort at it.

Soon as the result arrived, I booked in my exam for two weeks later. I still had a month left in the lab time and was going through all my exploits, fixing some up. The first exam showed me where all my weakness's were and what I needed to work on.


Attempt 2

Again the Exam guide arrive 8PM sharp and I was off, this time I wasn't going to mess about like last time. I had my scripts ready, as soon as I had the exam guide I kicked them all off , while my scripts ran I started with manual nmap's. Within 3 hours I had root on 2 machines so I knew I had 45 points, I only needed 25 more to pass. Started enumerating the others, watched some TV . 3AM I decided to go sleep for a while. I had a 6 hour nap and started again. Got root on my 3rd machine, did a lap around the house, played some Xbox and relaxed. After I got shell on my 4th machine I went out for lunch and came back 2 hours later. Took longer then expected there. For some reason on my 4th machine things were just not working, I knew I had 75 points already and I would pass but I wanted to get it all. Then with 15 minutes left to go things finally started to work on the 4th machine but not with enough time. I decided I had enough points so lets start cleaning up.


Updated my report , fixed up somethings in there and sent it in.

Monday , shortly after midnight the email arrived and oh yeah  passed!! I felt like screaming with excitement but it was a bit late for that then. I had done it!


Conclusion

I have to say this is most exciting / interesting course I have ever done, I went in with no experience or knowledge and came out the other end with a set off skills that I proudly earned.  I learnt to understand exploit code and do basic fix up'. For anyone thinking off doing this course I would highly recommend it, just do note that a lot off time has to be dedicated to it. Anything is achievable if you are willing to work hard for it. I spent 4 months to finish the OSCP, it all depends on the experience level as some people finish it a lot quicker. The Offsec lab time is very reasonable compared to other similar courses.I still have humble to finish which ill work on this week as still have few weeks lab time left.


For me now, I have to wait for my lovely wife to hopefully soon forget about the last few months and approve funding for WAPT. I learnt so much from Offsec and I'll be back for OSCE in a little while, for now I am going to develop my Wep App testing skills.

I have listed below some off the links that were very helpful during the course, also listed are some books a found useful. Drop me a msg if there are any questions.

Cheerio.



https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

https://www.phillips321.co.uk/2012/02/05/reverse-shell-cheat-sheet/
http://www.fuzzysecurity.com/tutorials/16.html
http://pen-testing.sans.org/resources/downloads
http://pentestmonkey.net/category/cheat-sheet/shells

The Browser Hacker's Handbook
Mastering Kali Linux for Advanced Penetration Testing
The Hacker Playbook: Practical  Guide to Penetration Testing



6 comments:

  1. Awesome post! I'm currently prepping for OSCP at the moment, learning various areas where i know i'm weak.

    Congrats on the OSCP! :D

    ReplyDelete
  2. Congrats mate, I know how hard you have been working on this! Also your wife is a keeper!!

    ReplyDelete
  3. Hi, I would like to know the skills required to take the exam

    ReplyDelete
  4. You up to give any suggestions on some of the labs? I have been stuck and cannot seem to find any answers.

    ReplyDelete
  5. You up to give any suggestions on some of the labs? I have been stuck and cannot seem to find any answers.

    ReplyDelete