On Attempting OSCP
OSCP (Offensive Security Certified Professional) is one of the best known certification in penetration testing. This is also one of the most, if not the most challenging one as well. As it turns out, I gave it a try (spoiler alert, I did not succeed) and I am writing this to share my experience. Even though I didn’t pass the exam, I am pretty sure that this post could help some people in their exam preparation. It could also help some to know if they are ready or not for the challenge. In any case, here is how it went.
To tell the truth, I never intended to do the OSCP certification. A previous colleague of mine tried it and I saw first hand what to expect. I wasn’t sure that all this work was worth it, plus the exam seemed ridiculous (we’ll get back to that). However, at the end of NorthSec’s CTF (https://nsec.io/), I won an OSCP exam attempt plus 30 days of lab access during a price draw. At that point, I figured that I might just try it. Worst case scenario, I would still acquire valuable knowledge.
I started out where probably most people do: Google. I read a bunch of blog posts from people that did the OSCP exam. I read about people that succeeded and failed, since both perspectives give different insights. Here are a couple that I consulted more than once:
- http://0xc0ffee.io/blog/OSCP-Goldmine
- https://www.alienvault.com/blogs/security-essentials/how-to-prepare-to-take-the-oscp
With that completed I knew a bit more about what to expect and how much time I would need to prepare for the exam. I figured that if I gave myself 6-8 months, plus the 30 days of lab, that ought to do it. That time of preparation can be different for other people, depending on your current knowledge, your life situation, etc. For me, I knew I would not be able to spend much more than 10 hours a week on my study. Except for the last 30 days, of which I wanted to take the most of the lab access.
Now that I knew what to expect, I had to come up with a basic study strategy. I read OSCP’s student and exam guides. This gave me an idea of the areas I had to focus on first. At first hand, I knew that I was lacking some theoretical knowledge before I could jump in practical exercises. For the first few weeks, I’ve read quite a lot of books and watched online training (please see the end of this post for all the material sources).
After going through all that material, which took me a few months, I started to get my hands dirty. Of course, whenever I came across a challenge or a subject that I was not comfortable with, I would take the time to search and learn about it. I focused my practical studies on 2 major resources: vulnerable by design VMs that I would download on my machine and Hack the Box. Again, see the end of this post for all the references. It goes without saying, you can’t even think about having a chance at OSCP if you do not practice your skills.
One important tip that I can give you regarding Hack the Box, or any other similar platform for that matter, is to focus on the machines that are rated to be close to reality compared to the CTF-like ones. Don’t get me wrong, you can learn a lot by pwning CTF-like machines. However, you would better spend your time prioritizing the close to real life machines, since those are the ones that best represent what you will encounter during OSCP’s lab and exam.
The practical aspect of the preparation was essential. I do not regret spending time reading books, since it gave me some critical knowledge. Especially for things that are in the category: “you don’t know that you don’t know”. However, OSCP is a hands-on exam. Therefore I knew I had to focus most of my time on actual hacking. With about 3 months to go before having access to the OSCP labs, I was spending about 15 hours per week on that preparation.
Now comes the time for the lab, or so I thought. Since the lab environment is shared with other students, the number of participant accessing the lab at any given period of time is limited. This is to reduce the risk of having multiple students targeting the same machine. That makes sense, but I didn’t know that (and if it was written in OSCP’s exam or lab guide I missed that information). That means that you can’t have access to the labs whenever you want, you have to pick a time period. As it turns out, the period I wanted to pick was already taken. In the end, I got access to the labs about 30 days later then I had planned. I guess it goes without saying that it screwed some of my plans, both professional and personal. In any case, I didn’t have any choices, and I used that extra 30 days or so to continue to study on my own.
After about four weeks, I finally started the OSCP lab. Since I had only 30 days of lab access, I decided to spend around 15-20 hours per week on my OSCP training. Honestly, I felt that I needed to do more than that (or have more than 30 days of lab access), but with a full-time job, a house, a wife, etc., it was hard to do more than that and still get a good night of sleep.
The first steps into the lab went smoothly for me. After spending an hour or two to enumerate the basic potential entry points on some of the first machines (there were about 20 of them), I started to focus on one or the other. I was able to gain root access on around 5 machines with ease and another 5 without much trouble. The good news at that point is that all the machines were pretty similar to what I was used to on Hack the Box. However, about 2 weeks in, I started to face some more challenging boxes. In the last 2 weeks, I was able to gain user or root access on another 5 machines or so. In case you are not aware, the OSCP lab consists of multiple groups of machines, each protected behind a firewall. Each group is more challenging than the previous one. I barely scratched the surface of the second group. At that point, I was feeling both confident and worried of my capacity to successfully complete the exam. At the end of the lab, I had a few days before the exam to catch my breath, review a few things, etc.
This is now the day of the exam. I woke up on Thursday morning, fully knowing that I might not go back to bed before Friday morning if things do not go smoothly. Since this is a (crazy) non-stop 24 hours exam, I made sure to make my experience as smooth as possible; all the meals were ready in advance, lots of coffee waiting for me, etc. As for how I would spend my time, my strategy was, and I stuck to it, to do 2-4 hours of exam, followed by a 15-45 minutes break, depending on what time it is. I logged in to the OSCP exam portal, downloaded the necessary VPN config, did the initial verification with the proctor, and off I went.
As usual, I started with enumeration, for at least an hour. I was able to gain root access on one of the machines without too much of a challenge. I didn’t know that at that point, but that would be the only one. What is funny though is that, according to the number of points associated to that machine, this machine was one of the hard ones. For the life of me, I never was able to complete the “easiest” machine. Before diner time, I was able to gain user access on another machine. Then again, that would be the only other machine I would reach that access. One thing that I was not prepared for, even by doing the labs, is the quantity of rabbit holes (i.e. false hopes of entry points) on the exam machines. I am sure I wasted too much time on things that were not exploitable. At around 10 in the evening, I realized that if I wanted to have any chance to pass the exam, I would have to do the full 24 hours without sleeping. I grabbed my emergency Redbull and went on. Unfortunately, that was not enough. About an hour and a half before the end of the exam and still 2 or 3 machines short of having the passing grade, I threw the towel. Since I did not reach the necessary number of points, I did not bother doing the report. As I went to bed on Friday morning, my wife was waking up to go to work.
I was disappointed that I didn’t pass the exam, but at the same time, I was happy to move on. I don’t feel like I wasted my time since I learned a lot while studying for that exam and that knowledge will never be lost. Looking back, I asked myself what I could have done to pass the exam. For one thing, 30 days of lab access was not enough for me. On the other hand, I could not take a lab extension. If you plan to do the exam, I suggest that you take at least 60 days of lab access. Especially if you have other priorities in your life. It would also give you plenty of time to try things out, and even to try other approaches on machines that you have already pwned. Another thing is that I should have waited before enrolling for the exam. I did not had control over that in my case, since I had 1 year to use my voucher for the exam. In any case, I did not have enough experience to tackle this challenge properly.
That being said, I don’t see myself trying OSCP again. I understand that the 24 hours time frame for the exam is to demonstrate that the candidate is able to manage his time and such. But that is ridiculous in my opinion. I don’t see the point, especially with all those researches that show that the average person can’t keep focus even on a regular 8 hour work day. Does that mean that I think this certification is not worth it? Of course not. Anybody that gets this certification is sure to have a great career path. But this is definitely not the only way. In my opinion, you can achieve more or less the same results by doing side projects a few hours per week (or even per month) and completing some more reasonable certifications. Now, if you are reading this and plan to do OSCP, be aware, you are in for a ride.
As promised, here are some of the materials that I used to prepare for the exam:
Books:
- Penetration Testing: A Hands-On Introduction to Hacking
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
- Hacking: The Art of Exploitation
- tip: do not underestimate the importance of buffer overflows exploitation for OSCP
- Red Team Field Manual
- This book is highly optional, but can be an interesting quick go-to when looking for a particular command
Videos:
Vulnerable Machines:
General Guide:
About The Author
