My Path to the OSCP Cert / PWK Labs

The Offensive Security Certified Professional (OSCP) has been one of the most difficult certifications I have completed but also one the most rewarding.  If you are thinking of going down this path or preparing for the exam, below are a few things I found useful or wish I knew before I started this journey.

Lessons Learned

Before starting in the PWK labs

Join online study groups – I joined a few on Facebook (best one being OSCP study group) and was surprised how much helpful material and suggestions came through there. Also seeing when others passed (or failed) was great motivation to try harder. If you ask silly questions you’ll get silly answers, including “google” or “try harder”. However if you ask specific questions like “what tools can help with FTP enumeration” people will be more inclined to help you. Also try to give back, if you find a nifty trick or tool – share with the group.

Do the Over the Wire challenges. If you are new to Kali do yourself a favor and go through these Bandit (Linux focused) and Natas (Web focused). Its free and you will learn the basics. While in the pwk labs I found myself a few times referencing back.

Practice on VulnHub. Download VirtualBox and run these VM’s locally at home (also free). Practice documenting the machine and testing new tools . There are many other sites out there that list relevant OSCP VM’s but after going through the labs, my vote would be the ones below. If you are starting out, set yourself a time limit. If you don’t find the solution in say a days time, sneak a peak at someone else’s walk through. But don’t give up too quickly, the practice of researching how things work is what its all about.

Practice on Hack The Box. This is an online pen-test lab. You can get a free account but it is busy with many others also working on the same boxes. Highly recommend a paid account where you share with alot less people. If you aren’t ready to play with others, there are small challenges you can download and solve offline. As I built up my confidence and skills, this became more fun. I think a new box is released every few weeks and is generally based on a recent vulnerability – so great for keeping your skills up to date.

Watch IppSec HTB YouTube videos. He is one of the heroes of HTB and does a video walk through of each HTB machines once its retired. There is even a beginner playlist. I found taking notes while watching these came in handy for later on. If I could have done one thing different, before jumping into the pwk labs – it would have been to watch as many as these as possible.

While in the pwk labs

Make time for the labs. You have paid a lot of money to use these, make sure you maximise your time using it. Make sure you get the support from your friends and family and they know you will be out of action for a while.

Book your exam in early. The moment you get lab access, schedule your exam. This ensures you get a date and time you want. If not you will be starting a 3am on a Tuesday after a full day at work.

Never assume. Always try the easiest solutions first, then move onto the more trickier.

Be prepared to be trolled by the boxes. Firewalls will be in place. Scheduled tasks will open and close ports, swap files around, delete temp directories. Its all part of the fun : )

Revert before scanning. A valuable lesson is to always revert a box before scanning. As if someone else has already exploited it and left it limping along, you are not going to have a good time. Think about it, the final exploit may actual kill the remote service so when you are scanning you’ll miss it. Think I got caught out by this about 3 times – don’t be like me ; )

Also other students may have already solved 90% of the box for you, so when you do the write up or come back to it later you might not be able to get in because you only have half the solution.

Share the boxes. Remember you are sharing boxes with others students. Don’t be afraid to move onto another box if the one you are working on is too busy. For example if you find it keeps being reverted or if you notice 8 other people in the forums viewing hints for this its probably better to jump to one that is less busy. Some popular boxes have duplicates on in the lab – 2 different IP’s but identical VM.

Organise all commands and techniques as you discover them. Document boxes solved in detail and then summarise commands in another cheat sheet. That way when you encounter a similar problem in the future (or while in the exam) you can easily and quickly reference. I personally found MS OneNote was great –  quick to search and if you destroy or change your kali VM, you don’t lose any notes if your keeping inside.

Time management. Such important advice.

  • Try not to get stuck on any one machine for too long.  Set limits and rotate through machines every couple of hours. Follow a methodology and If something is not working, move on to other machines and come back later on.
  • Some machines are heavily dependent on others to the point its almost impossible to proceed without loot from another box(s). Its up to you to decide when to move on.
  • Focus your time on the low hanging fruit first or the open services that you can run the most tools at . For example generally HTTP/SMB first, SSH last.
  • Always have something running in the background. eg: nmap/dirb one box while you are focusing on another. This will be important to practice for the exam.

Asking for help. While the offsec fourms can be helpful for hints, its always best to attempt a box first without peeking. If after a day you get no where, have a look. There is a balance between persevering on a box for 5 days getting no where. Especially as you are paying for the lab time. Just don’t expect to get any obvious hints.

Enumeration is key. Gather as much information about a host and its open services until you find something. Once you have all the details prioritize them. Essentially you want to know the OS version, architecture, installed services and their versions. From there google the shit out of everything. Read the manual, download the program onto a spare VM. Also don’t forget UDP.

Read the Alpha walk-through first. There is a box in the lab which has a walk-through written by g0tmi1k. It goes in depth about the thinking taking place and how information is prioritized. There are also some hints dropped about other boxes. I wish I had started with this. Attempt this box first, then if you get stuck follow the walk through – as that will be the only help you’ll find in the labs : )

Do the exercises. If you are new to this do all the lab exercises. Its a great way to learn and some of the exercises will start you with basic enumeration or scanning in the actual labs. Some exercises you won’t be able to complete until you find the right machine, so don’t be afraid to skip some questions. Document thoroughly so you can reference in the future. Also when you submit your exam you can include this (plus 10 machines) for an additional 5 points towards the exam. Its rare this will be the tie breaker, but you never know if this will be the reason you fail.

The Exam

Best advice about the exam is to do some googling about how other have approached it. However most say the same thing. Hopefully the below will help someone else.

If you do come across someone trying to sell answers or cheating, report this to offsec.

  • Take regular breaks during the exam – its both physically and mentally exhausting
  • Rotate machines regularly (eg: after 2 hrs if you are nowhere, try another and come back to this one later)
  • searchsploit every piece of software found (where possible find the exact version running)
  • Plan and Manage your time – when are you going to have breaks? how long to sleep for?
  • Prepare your notes – nmap scripts, hydra etc
  • Prepare your tools/scripts – web shells, pe scripts, hashcat etc
  • Prepare where you will be saving exam notes – folder structure etc
  • There are generally 5 machines to break totaling 100 points, you need 70.
    • 2 x 25 points – 1 being a BoF, the other requiring multiple steps to break
    • 2 x 20 points – requiring a few steps to break
    • 1 x 10 points – usually exploit and click

Attempt #1 (recon)

I initially had 90 days in the labs. I knew I wasn’t ready and was going to get another 30 days of lab time. So instead of giving up the exam attempt, I treated it as a recon exercise.

  • Estimated I scored ~35/70 points. I got root the 10 point machine and user on a 20 and 25 point machines. Plus 5 for the exercises. Was actually surprised I did this well for a recon attempt.

Where i think I went wrong

  • I left booking my exam to the last minute and started at 11pm. My plan was to stay up till 11pm then set off a script to do all the nmap and web scanning. Windows updates *shakes fist* had other plans. I didn’t sleep well and woke to find my host had rebooted with the lovely pop up saying PC had been updated.
  • My time management was horrible. I got so caught on on the first few machines, i didn’t even touch one of the 20 point machines. There was also lots of idle time where I was not running something in the background.
  • I was really weak at the BoF machine and PE
  • I didn’t take enough breaks or sleep enough. Towards the end of the exam, I was a zombie and just mashing the keyboard.

Attempt #2 (I think I’m ready but, I’m actually not)

Another 30 days in the labs then a few VulnHub machines and BoF practice, I was feeling a bit more confident. When buying the extra lab time I booked the exam straight away and got to start at 10am this time.

  • Estimated I scored ~30/70 points (worse than the first attempt). 25 points for the BoF machine (yay) and 5 for the exercises. I couldn’t even get a foot hold in the others – they were very difficult.

Where i think I went wrong

  • This time my exam was proctored (first one wasn’t), meaning someone was viewing my screen and watching me on a webcam the entire time. This was initially very off putting and it was only towards the end I got used to it.
  • I spent way too long on the BoF machine. While I had detailed notes for the labs and other machines, it was all over the place and I wasted much time here. I also missed 1 of the bad characters, after troubleshooting for a long time, I essentially started again.
  • I didn’t use enumeration scripts
  • I was still using an old 2017 pwk VM from the labs. This had the metasploit and msfvenom bugs, where when it was run it would randomly fail 8/10 times. While there was a fix on line for this, I didn’t find out until after the exam.

Attempt #3 (Victory)

Due to the cost, I decided not to buy any more lab time and just get the exam. At this stage I had 40 of the 50ish machines in the lab. Instead did some more VulnHub machines, signed up for a premium HTB account and watched lots of IppSec’s walkthroughs (lots). I was lucky and found the only timeslot before the end of the year (assuming someone changed last minute), this started at 5pm. I found this to be a time that worked for me as went from 5pm-11:30pm, slept, woke up at 5am and went through to 4:45pm. I also took 10min breaks approximately every 3 hours – found it really helped.

  • Estimated ~85/70 points.
    • 25 points for the BoF machine in the first 2 hours.
    • 25 points for the next machine, user withing 2 hours
    • ~2×10 points for user on both of the 20 point machines.
    • 10 points for this machine in the last 30 minutes(cutting it close)
    • plus 5 for the exercises

What I did right!!!

  • I downloaded the new 2018 pwk VM (much better)
  • I made a cheat sheet for the BoF machine which generically stepped me through and had all the commands ready for editing so I just had to copy and paste. For example bad characters, pattern creation, msfvenom command etc.
  • I was more comfortable with the proctoring
  • I used PE scripts and the Python SimpleHTTPServer opposed to Apache
  • I managed my time much better. While working through the BoF machine, I was always scanning the next machine in the background.