Another OSCP tale- an outlook into it.
Hello readers, so it has been a long-time since writing content . I recently cleared the OSCP certification with the PWK2020 edition. So this blog post will be about my experience, takeaways and the things to look out for in the OSCP.
//Please note the information below is based on my personal experience with the OSCP//
I will divide the OSCP course and exam into the following stages:
- Requirements
- Time Threshold
- PWK Labs and Materials
- The Exam
- My takeaways from the exam
- Final Thoughts
- Useful Resources
Requirements
Before heading into the thoughts of purchasing the PWK2020 I would suggest you to consider answering the following questions:
1.How good are your web exploitation skills? [Requirement: must be good enough in identifying critical web issues]. What i mean by this is finding a web vulnerability is a thing but exploiting it to gain initial foothold is another thing [For ex: Escalating a SQLi to a Low level Shell or an LFI to an RCE to a shell etc.]
So atleast make sure you have decent experience at identifying critical web vulnerabilities such as SQLi, LFIs, RCEs, RFIs.
2.How good are your network enumeration skills?[Requirement: must be good enough to conduct basic enumeration over a network such Nmap, Metapsloit , other service and exploit enumeration techniques]
3. How good is your familiarity/experience in solving CTF like Machines such as HTB, Tryhackme, VulnHubs etc... ? [Requirement: not a mandatory thing but an advantage to have good idea in solving HTB or Vulnhub machines]
4. Decent idea over Bash scripting and Python since most exploits in labs will be python in some cases can be in C as well. [Requirement: It is an advantage to have this although you can develop it through the course study as well]
5. Finally, How good are you with having the mindset of more and more persistence and patience over doing the machines when things are not going your way?[Requirement: This is a must]
Even if 3 out of the 5 requirements are thoroughly checked i would say you should be fine to go because one can not have all the skills needed but can adapt on the go during the course. In my personal view i only had the 1st and 2nd and 4th requirement checked while i developed the remaining two during the practice of the PWK course. Having said that, check listing all these requirements will definitely quadruple your chances of clearing the exam in an easier fashion.
Time Threshold
Ideally, I would say 3 months of PWK lab time[although expensive but worth it] is good enough to learn most of the concepts required along with an additonal one o f month HTB or VulnHub practice. However, if you are a kind of a pro at solving HTB machines and are experienced with it I would say 2 months of PWK labs is more than enough.
Whatever the course time be one thing is constant, you may need to manage your time very well especially if you are a working professional.
PWK Materials and Labs
The PWK materials are very good and teach everything that you need so give it a patient read and I would advise to solve all the exercises if your lab time is 3 months because i believe it is not possible to solve all PDF lab exercises in 2 months as there are nearly 150 exercises and you need to complete all the exercises to get an additional 5 points in hand prior to giving the exam. This is totally upto you I personally did not give the exercises the shot as I was short on time for doing the labs and was also comfortable with the concepts the PDF taught.
The PWK labs are pretty good and introduce you to almost all possible concepts required to be comfortable giving the exam. Since i was familiar with solving HTB machines , I did a month of HTB first and then purchased a 2 month PWK course for the OSCP. I found 40–50% of the machines i did to be very similar to the TJ Null HTB OSCP machines list[ https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159] including the Active Directory machines.
Either way , I would recommend you to complete atleast 30–40 machines out of a total of 70 Lab machines. There are four different networks consisting of vulnerable machines, I personally did around 36 machines , covered all the subnets and department networks [Public, IT, Admin, Dev network departments].
I recommend to solve most of the public machines and try pivoting into the other department network machines as mentioned above [if not all atleast one or two should be fine as it teaches the concepts of pivoting / tunneling between networks and bypass firewall checks too at some points]. It is also best to try the Active directory machines since there maybe a chance that you get LDAP based attacks and escalation in the exam.
Also, keep making notes of what you learn from each machine along with a good focus on web , service exploits and privilege escalations.
The concepts of Buffer Overflows are well instructed and taught in the PDF. The Labs contains vulnerable BoF programs in client machine to practice.Personally, I’d say a 7–10 days for learning and practicing BoFs are sufficient enough. Further to get a good grip over BoFs try solving SLMail, brainpan as these two vulnerable BoF programs are more than enough to clear your BoF in the exam within an hour.
Once you feel you have developed good methodology for cracking machines you are ready for the exam. It usually takes 20+ machines of PWK to develop a decent methodology.
One thing to be noted I advise to stick to older kali i.e, 2019 version since 2020 kali does not support many of the exploits.
The Exam
Choose a right slot that works for you. I prefer morning time to start my work so i chose the exam time at around 6:30 AM.
One thing i did as part of my recon about the exam is I approached many people who failed the exam more than the ones who have passed as to get an idea over why and where they felt they failed. Most common answer that i got was underestimating the Web exploitation techniques and overestimating privilege escaltion. Trust me, getting the intial web exploitation is as tricky as the privilege escalation. So, with that noted I gave the exam and it took good 20 hours to complete the exam. LOL.
The Buffer Overflow and the 10 point machine got done in 3 hours. I hopped into the medium machines to my surprise i was only able to get a low level shell on one of the medium machine and the other medium machine i had not got any trace of initial way in :(. I was stuck at 45 points for almost 6–7 hours and kept solving the 20 point machine with the low level shell. The rabbits hole were eating my cerebrum for the most part. With no further room for escaltion and the other medium machine ghosting aroung not letting me in i decided to wrap up the medium machine trys for a while and sleep for an hour.
After an hour’s sleep with the clock at 12:00 AM! , I decided to give the 25 point machine a shot and guess what it took less than 4 hours to crack it and ghosh that led to me completing the exam at exact 70 points. I did not expect the 25 point machine to be comparatively easier than the 20 point ones. I did not know if it was an hour sleep time or what but the final long break i took definitely worked in favour.
My takeaways from the exam
I definitely felt the exam machines were way trickier than the lab machines with more rabbit holes. Although, i practiced web exploitation techniques and privlege escalation I felt they both were equally tricky. Always remember the exam is made in a way that it can be passed in 14 hours so it does not take big tweaks but understanding the subtle tricks such as getting incompatible reverse shell or restricted outbound connections or small bypass script or a wrong service being knocked around at. Such things need to be observed.
Final Thoughts
To be honest, I was not interested in the old edition of OSCP as i felt it to be very backdated but the new one really got me motivated with AD attacks, empire shell, Powershell Firewall bypass, abuse & Advanced web exploits . So that pushed me to give it a shot since it covered a lot of concepts pertaining to the modern day pentesting needs.
Well OSCP is a really good certification to improve your pentesting methodology.
One big tip is if you are stuck take a break be it even 40 minutes and restart again. Finally, I’d like to extend my thanks to my Parents and my buddies Pavan , Manas Gupta for the support through out the process and last but not the least my company [https://wesecureapp.com/] to ease my work process during the final exam preparation days.
If in need of any further inputs or queries feel free to contact me on LinkedIn: www.linkedin.com/in/prakashashok22
Until next time, peas out! :).
Useful resources:
