Hypn.za.net
Hacking, Coding and Gaming | @[email protected]
June 6, 2018
Thoughts on OSCP certification and the exam!

I recently wrote my thoughts on the OSCP certification, prior to writing my exam, which might be worth reading before this post. A couple of days later wrote the exam - and passed! This post will start with the exam and then have some more thoughts on the OSCP course.

The exam itself was a lot harder than I was expecting... I had started the course with 60 days of lab time, intending to write (and fail) the first exam, and then take another 30 days of lab time and write again. I completed all but 3 of the machines in my first 60 days of lab time, including the "big three": Humble, Pain and Sufferance. Although I'd learnt a lot in the course I felt I was relatively prepared for the exam and was well stocked on notes and links to aid me.

To pass the exam I had to gain 70 points from 5 machines, which were valued at 25, 25, 20, 20 and 10 points. I tackled the "buffer overflow" machine first, worth 25 points, which I was hoping would be an easy win in the exam - I'd be working through the buffer overflow coursework, and writing my own exploit for known vulnerabilities in other software every weekend during my course time. The buffer overflow machine was Windows based and had nothing outside the coursework... with a decent understanding of it and enough practice, this is an easy 25 points that I had 1 hour in to my 24 hours of exam time.

Things got a lot harder after that first machine. I had performed enumeration on the other machines and decided to have quick go at the other 25 point machine (hoping to get to 50 points quickly) and while there was a fair deal to be found and fiddle with I just couldn't find a way forward. I spent a fair deal of time rotating through the remaining machines occasionally and slowly making some progress before getting stuck. At the 12 hour mark I had 55 points (25 buffer overflow machine + 20 point machine + "easy" 10 point machine)... I'm a little disappointed that the 10 pointer machine tripped me up as much as it did, but I guess that was the point. I decided it was time to get some sleep... for 5 hours... which might have been a bit much (but it was 2am and I woke up feeling re-inspired and full of ideas).

The final machine I completed, giving me another 20 points and enough to pass, took 6+ hours of making absolutely no progress. I jumped across to the 25 point machine a few times but felt even more blocked there. Eventually, almost accepting I'd failed, something clicked and the rest started coming together quickly... with just minutes left I got Administrator access, the proof files and screenshots - 75 points!

So what went wrong? I went in to the exam expecting to use my vast arsenal of tools, notes, and pre-compiled exploits as I had in the labs - instead I used hardly any of it. In the labs you typically discover some 3rd party software, or custom web app, and can get a feel of where your entry point will be. You start seeing similar trends and clues. In the exam I was stumped - there was nearly nothing to see, and no hint where to get in... even common enumeration scripts and methods didn't reveal the type or amount of stuff they do in the lab... everything felt a lot more "locked down" and a dead-end.

Talking to a friend of mine about how I found the exam, and trying to explain how/why it was so much more difficult and different to the labs I think I came up with a decent analogy: imagine spending 2 months learning a programming language, the syntax and functions, learning about and how to implement common algorithms and data structures in that language, even did some "interview questions" to make sure you properly understand the language... and then you sit down to write the exam and have to code in a totally different programming language. It's a lot like that - what you spent time learning certainly wasn't wasted or useless, but isn't nearly enough to carry you through the exam.

Then I realised the course was never about the tools, command line arguments, targets, or methodology. They all matter, but the REAL point of the course (I believe) is learning to think, try, and learn - and that's what the exam requires of you, that's why you have to "Try harder"... what you have and know is NOT enough, not even when you've completed the labs. Definitely take notes and learn tools, but DON'T let those dictate what you'll do and try... they're your fallback, not your path (of course you could have totally different machines and an experience to me).

Once again, my exam made very little use of the sites I'd been studying and tools I'd collected, that said there were some useful links worth mentioning:

So back to the course...

I knew the course and exam was going to be hard, but had I known the exam was going to be this hard I probably wouldn't have signed up. I'd been telling a few friends - even those not as much in to software/web security stuff - that they really should do it too... I very quickly told them I changed my mind about that. The OSCP course carries quite a hefty price tag and while I think the course + experience is worth it, I'm not eager to recommend people take it on too flippantly - you have to be pretty determined to fight through to the end.

I'm not sure how it could be structured, but wish there was a cheaper non-exam option of the OSCP course - it's without a doubt the best "structured training" and experience around information security, and something I'm convinced every developer should go through and learn from.

As an alternative (and here's a mini "how to learn hacking" guide), I really believe the following links can very teach someone a lot:

  • HackSplaining - covers many web vulnerabilities/attacks in a simple and illustrative way
  • IppSec's YouTube videos - be sure to watch from oldest to newest as he explains new tools when he uses them
  • HackTheBox - online VMs for you to hack, two of which are very similar to two found in the OSCP labs (does tend to be "more tricky" and "CTF-like" than OSCP labs though)