Hacking, Coding and Gaming | @[email protected]

I thought I'd share my thoughts and experience of Offensive Security's OSCP course/certification, prior to writing my exam to avoid the results tainting my thoughts.

I didn't know what to expect from the course work or exam and was worried I'd be very much "on my own" - I'd read too many times you "need to be able to Google" but often the challenge is knowing what to Google. Luckily there are forums available which, although they're often censored to remove spoilers, are usually able to give you a pretty good nudge in the right direction if you get stuck. The machines are a lot more "realistic" than CTF or HackTheBox... so you're not going to be solving puzzles or doing guess work.

Costs and signup:

The pricing can be found here but it costs $1,150 USD for 90 days of lab time and one exam attempt - apparently this is the most common option people take. I figured I'd probably also need 90 days of lab time but instead decided to go with 60 days of lab time (and an exam attempt) and take another 15 days of lab time and another exam attempt should I need it. So I'm still at $1,150 but have 15 less days of lab time but another exam attempt. You can only have 1 pending exam attempt at a time so there's no point buying three 30 day lab time up front.. you'll still only be able to do the exam once. Also this way if I should I happen to pass on my first attempt I save some time+money.

Signing up for the course requires a non-free/public e-mail address, ideally a work e-mail address (though remember to update Offensive Security if/when you change jobs and emails), and you're given a temporary link to use to make payment to secure your enrollment. You might not be able to start your course immediately, so I'd suggest enrolling up to a month ahead of your schedule if you're working to a deadline/goal date.

On the morning your start date you're sent emails with links to download your video + pdf materials, the Kali VM they recommend you use, OpenVPN connection details, OSCP control panel and forum links and credentials. The videos + pdf's will have your name and supplied address embedded in them to prevent sharing them (your certification will be revoked and you'll be banned for life if caught sharing training materials), your download links are also only available for a limited time so make sure you backup your resources after downloading.

Getting Started and course materials:

Being stubborn I was determined to use the recently-updated Kali VM I'd created instead of the one provided by Offensive Security... don't do this, just use their VM and save yourself hours of frustration - there are many differences that cause things not to work at as expected or needed in the course (eg: sambaclient, openssh, BeEF) so just use their VM. I repeat, use their provided VM!

There's no clear "here's how to do this course" guide, you're thrown pretty much in the deep end and I got half way through the PDF before realising I should have been watching the video materials at the same time (I figured the PDF was the "getting started"). Most sections of the course contain exercises requiring you to perform goals or answer questions, they go from fairly straight forward to suddenly requiring you to have hacked machines in the "labs" without telling you to start attacking machines. There's also a section or two that requires knowledge that you're only given in later sections... so if you can't do something just skip over it and come back to the sections later.

There was nothing mind blowingly new that I learnt in the course work, but lots of little things than refined my way of doing things or added to my knowledge... stuff that would bridge gaps, if that makes any sense, and let me do more than what I could before. I think this is the type of stuff "experience" (in a job) gets you... two people might know the same stuff intellectually, but someone with more experience will know little nuances and tricks the other with less experience wouldn't, giving them an advantage and making them more effective. This alone makes the course worth it, fast forwarding me through what would otherwise take ages to learn on my own.

As LiveOverflow says in his "The Secret step-by-step Guide to learn Hacking" video, there is no secret book with forbidden knowledge that unlocks magic wisdom. Much of the stuff in the course is already available online and most people know to some degree. Instead the course provides refinement, method, and insight in to those things. As a result it's entirely possible someone could (I imagine) pass the exam without going through any course material. That said, the course material would be a huge wealth of new knowledge for someone with less experience.

Course work and reporting:

The answers to the exercises as well as a "report" on how you compromised 10x machines in the lab can be submitted along with your exam report, and if all done correctly will grant you an additional 5 points to your exam score. I believe this was previously 10 points (5 each) but now both are only worth 5 points.

Completing the course exercises, specifically documenting the answers, was way more frustrating and took a lot longer than I really had patience for... but I did them anyway. I would definitely recommend working through the questions as they force you to think and learn stuff, but "answering" them can burn through precious (expensive) exam time that could instead be spent on learning in the labs.

The exam requires 70 points for a pass, with (I believe) there being machines counting for 25 points, 25 points, 20 points, 20 points and 10 points. No-one seems to be sure how many points a restricted-shell (partial compromise) counts, but ignoring that unless you got the 25+20+20 machines the extra 5 points probably wont help you much.

The lab report (of 10 machines you compromise in the lab) is definitely worth doing... without the coursework answers (above) the lab report wont grant you any points to your exam but I'm certainly will help you complete your (compulsory) exam report. Definitely do your lab report, tweak the layout, make sure you follow the recommended format, and hopefully the exam report will be quick and easy.

Hacking lab machines:

You start off with access to only the "Public" network, which has about 45+ machines. Nothing tells you where or how to start, but the course does recommend identifying and starting with "low hanging fruit", so scan and pick some targets... if you get stuck, move on to another machine. Some of the machines have a .txt file containing a string (hash) used to unlock other networks (technically this just unlocks the forums and control panel for those machines, it doesn't actually unlock anything at a network layer). The other networks (Dev, IT and Admin) all have far fewer machines and provide a way of testing pivoting and tunneling through hosts (which makes things like reverse shells a little more tricky).

The machines are not CTF style, which often requires thinking outside of the box or guess work, but instead tests your systematic approach and attention to detail... which is a good thing. You're only allowed to use Metasploit on 1 machine in the exam, so it makes sense to avoid using it in the labs. I thought this would be a lot harder than it was - the labs are setup to be done without Metasploit so there's very little you need from it. So nothing too scary there.

The "enumerate, enumerate, enumerate" mantra is very true for the labs... most of your time and effort will be spent finding out what's running on the machines, what versions, and then checking to see what exploits are available to get an initial shell. Once you have a limited shell you start enumerating the internals of the system... some times you'll use a local privilege escalation exploit, some times you'll find some misconfigured service or "sudo" command to get root.

I'm starting to think that hacking isn't about tech skill. It's being willing to stare at a screen for hours, try a million things, feel stupid, get mad, decide to eat a sandwich instead of throwing your laptop out a window, google more, figure it out, then WANT TO DO IT AGAIN

-- @Zeena, on Twitter

Three of the infamous lab machines are Pain, Sufferance and Humble. These were definitely challenging, but not in a CTF way requiring guess work... take your time, enumerate, check and try exploits, work slowly and carefully and they're fairly straight forward. On two of them I wasted a bunch of time because I overlooked or skipped stuff because of assumptions. I found some other machines in the lab more difficult more because I just didn't know how to progress with them, I assume everyone's experience will vary.

Remember to take a good look around a system once compromising it for clues and creds to other machines... and take screenshots of the output of "ifconfig" and "proof.txt" so it becomes muscle memory for the exam (which requires screenshots of those in your exam report).

Reverse engineering and buffer overflows:

This was the part of the course I was most worried about, especially knowing it made up 25% of the exam (one 25-point machine), but I actually really enjoyed it and found it much easier than I was expecting. I made a point of revisiting the buffer overflow coursework every weekend, redoing the exercises and creating an exploit for a known buffer overflow in another application. This section seems like something that can be learnt relatively "parrot fashion" (or "muscle memory"?) and hopefully make for some easy points in the exam.

Some other thoughts:

Make notes of everything, personally I just used text files (one for each machine), and structured them with indentation and kept sections in a way that's easy to remember what I did, come back to, and repeat. You will likely be returning to machines you've compromised (as both a limited user and root). There are some cross-machine relations/dependencies you might not realise or discover your first time rooting a machine.

There is some password/hash cracking involved, but you probably don't need any fancy hardware or special wordlists (most of the "root" or "Administrator" hashes aren't intended to be broken I believe).

I believe the newest version of Windows in the lab was Windows Server 2008, so while it's a bit dated the tools and procedures should all be equally relevant today... it would have be nice to compromise newer operating systems though.

I completed all but 2 of the machines (excluding the last half of "gh0st", a more CTF-like machine) across all of the networks in 53 days, leaving me a week to rest and tidy up my notes before my exam. I worked a full time job during this time, but spent most of my non-working time working on OSCP so it definitely took a lot of time.

Book your exam early... like a month or more early, if not immediately when you start your course (for shortly after). Most people seem to go for a weekend exam, so waiting times are up to a month (which was the case when I booked mine). If you don't get the slot you want, take what's best for you and keep checking the booking calendar as a slot might open up (which happened for me :D)