Probably you’re here because you’re interested in obtaining the OSCP certification. Smart decision, good for you! Or maybe you are interested in obtaining a certification in info-sec, but you are still looking for the right one? Even if you are just looking for a way to boost your technical skills, you may be interested in becoming an Offensive Security Certified Professional.
I recently went through the course (Penetration testing with Kali Linux) and certification exam, so here is some of my experience and a few thoughts, you might find them useful.
There is no secret that in order to obtain this certification, you need to dedicate a great amount of time and ambition and I completely agree with this.
Also, rumour has it that you already need to have Godlike skills in everything there is to know, or else you won’t understand the materials. I can honestly say that the rumours aren’t true. A strong background in info-sec is preferred, however the course materials are very well explained, there are plenty resources for learning your way through this course, all you need is the determination to try harder and read more, until you fill all knowledge gaps that might appear.
My background before taking this course:
- Engineer in Computer Science and Automatic Control;
- Experience as a software developer – more than 2 years;
- Experience as a security penetration tester – more than 2 years.
I think I could’ve managed to get the job done with less experience, but it would’ve been harder.
After registering for this course, I received an email containing download links for the course materials: a manual in PDF format and video courses (several hours of tutorials that cover pretty much the same information as the PDF, but in a hands-on, crystal-clear, step-by-step approach).
Make sure to download the materials in a timely manner, the download links will expire eventually. Also, make sure to save the materials in a secure environment. You don’t want the materials to get public, Offensive Security cares a lot for it’s intellectual property.
In my opinion, the purpose of the course materials is to give you the proper background for this course, to build a strong foundation on which you can further develop with lots of individual work. I first watched the videos as a movie, just to find what is all about. Then, I started reading the PDF, searching everything I didn’t understood and re-watching the part of the videos that referred to that specific subject.
After each chapter, there are a few exercises. Some are easy, others require you to do some research and to put in some work. I think it’s a good idea to follow the exercises and to log your results (keepnote will do), you’ll find the exercises very useful during the labs.
In the Labs
After registering for the course, you’ll also get VPN access to a simulated environment with about 50 different machines. This is a laboratory where you are encouraged to sharpen your hacking skills. Each machine is revertible, so you don’t need to be afraid that you’ll break something. You share this environment with other students, so there are a few common sense rules: don’t disturb their work, don’t attack them, revert the machine after you’re done with it (you don’t want to leave it unexploitable or very exploitable for other students).
The lab simulates a live company, with users, departments, flows. You can expect to find here a fair variety of operating systems, installed services and software. Every machine is exploitable in a way or another, every machine has it’s unique story and represents a challenge in it’s own way. Depending on your background, you may find some easier to hack into, while other will make no sense until everything makes sense.
What I loved the most during my lab time was that I wanted to conquer a machine just to find it’s story. It was entertaining and fun to do so. The lab is an environment full of life, with users, user actions, user interactions, user habits and so on. In time, you’ll find that some users are nice, others are crazy, some smoke a lot, while others are obsessed by work and emails.
I encourage you to be creative and try everything you have in mind. Knowing that the machines can be reverted, there’s no need to hold back your ideas. You are in a lab, so it is perfectly normal to experiment that cool exploit you’ve just found…
I opted for the 3 month subscription of lab time, which was more than enough to get me prepared for the exam. Probably I could have managed with 2 months as well, but I think that the one month subscription is not enough. You will probably need more than one month (with an average of 4 to 8 hours of effective work everyday) to solve the course exercises, conquer most of the machines and have your portion of fun. Yes, “fun”, I say it again – for me, it was entertaining.
The best you can obtain from individual study is developing a strong methodology for attacking a machine. Reconnaissance, information gathering, enumeration, exploit, fail, exploit again, enumerate again, escalate, fail again, escalate again, maintain access… insert any step you deem necessary and make your own pattern that gets you from ping to root.
The technical skills that you’ll pick up from the course materials are not enough to be prepared for the exam, not even for the labs. It’s up to you to sharpen your skills in key areas, to learn to do things easier and faster. I can give a few links that will prove useful during the lab and exam:
- Basic Windows privilege escalation
- Basic Linux Privilege Escalation
- Linux – kernel exploits
- Creating payloads with Msfvenom
- Msfvenom – more examples
- Reverse shells tips & tricks
- File transfers, useful commands & more
- Pentest tips & tricks
- Proxychains – dynamic port forward
- Port forward with meterpreter
- Exam guide
- Forum topic about tips for lab machines
For each website, be sure to check what other resources are there, you’ll find many goodies. You don’t need to memorize every command from every tutorial, but you should understand what is presented and have the resources close to you when needed. Also, it’s up to you to find end explore other resources.
Exam – prepare to succeed
So, when are you ready to take the challenge? It’s hard to estimate, rumour has it that you are ready after you’ve obtained access to all lab machines except the 3 hard ones (pain, humble & sufferance), however this is hardly an indicator. I managed to obtain access to 40+ machines, but still had doubts. After getting comfortable with the steps you usually take for attacking a machine, you’re probably ready to go.
The exam is a 24 hours penetration test against a small number of machines + 24 hours for delivering the penetration test report. Each machine is valued a number of points and you obtain the points by getting low privilege shells and escalating your privileges. There are 100 points in total and you need 70 to pass the exam.
Getting prepared for the exam does not involve only boosting your technical skills. It is a 48 hours exam that needs you to deliver a report, so here are a few things to take into consideration:
- Are you comfortable with reporting your findings? You should write a report for the course exercises and lab activities, so you’ll get a proper handle of it.
- Are you sure you don’t have any other activities planned during that 48 hours period of time? You don’t want friends coming over, you don’t want to have plans to go shopping or whatever. It is an exam like any other, so you need to focus.
- Do you have a backup internet connection, in case your internet provider fails you? A 3G stick would be nice.
- A laptop with good battery, in case power goes down?
- Is your Kali machine ready to rock?
- Do you have all resources properly prepared and easy accessible? Lab notes, tutorials, own scripts etc… You don’t want to waste valuable time searching for that one tutorial that you once saw…
- Be sure to have a good sleep before the exam and a period of relaxation. A walk in the park? A game? Some sports? Whatever works for you…
Talking from experience, I can say that the exam itself is fairly hard, it deserves it’s fame. I started the exam with a very good peace. After about 5 hours, I had almost all the points I needed to pass the exam. I needed just one more machine to get the job done and I was confident that I will do it. And then it hit me… in the next 15 hours, I didn’t made any progress at all. My experience and knowledge just didn’t *click* very well with the remaining machines.
I had a few 5-10 minutes breaks during this time (to eat, to take some fresh air, to play a little with my cat etc). I’ve read a few reviews where the authors say they were also stuck at some machines, but it was because they were too tired to think clear. So they had a nap of a few hours and everything worked out after they woke up. This might be a good strategy, but at no point I wanted to sleep. If I were to fail the exam, I wanted to be sure that I tried as hard as I could for as long as it was possible and sleeping was just not part of the equation.
In the end, this worked for me. After about 15 hours of trial and error, I had my first progress on a machine, a door that opened a lot of possibilities. After another 2 hours, I was root on the machine and had all the points I needed. In the remaining hour and so of exam, I just made sure to have all the screen captures and proofs needed for the report.
Writing the report
If you made it this far with the certification, than congrats! There is a standard report template that you are encouraged to follow, but you are free to make adjustments or to use a completely different template. In the end, the report is the only deliverable and the proof that you actually had great results during the exam, that’s why this step is as important as any other. So here are a few tips that worked for me:
- Double/Triple check your grammar. Not all of us are native English speakers, so it is normal for spelling mistakes to appear in weird places. However, a good and clean report will always win the hearts of the readers.
- Be sure to have all the screen captures required in the format they are required. The exam result may be negative just because you forgot to take a screenshot at the right moment. In the 24 hours dedicated to reporting, you won’t have access to the exam machines, so you’ll have to use only your notes that you took during the exam.
- Log everything you do, issued commands, tried exploits, results obtained.
- Document your attacks step-by-step. Be sure that your attacks can be reproduced only by what there is written in the report.
- Make sure that the document formatting is not ruined when converting to PDF format (you are required to submit the report as a PDF).
- Make sure that the email containing the report is actually sent. Some mail providers might strip the attachments, so be prepared. Don’t send the report in the last minute and, if you encounter problems, use the alternate submission method (it is properly documented in the official exam guideline).
I can say that this might be a tough journey, but it is equally rewarding and entertaining. Remember that, although there is a lot of individual work, you are not alone in this journey. There are other students out there, you can find them on #offsec IRC channel or on the Offensive Security forums. Also, there are admins that can offer you support when needed.
I hope I spoiled enough to help you a little in your journey, but I won’t disclose more since I don’t want to ruin your fun.
As you’ll probably hear a lot in the future,
Thanks for the review.
Could u please give me some tips on sufference machine. Without giving too much.
I’m stuck on this one for days.
Sadly, I cannot help, I’ve finished my lab time without obtaining sufferance. You could add specific questions on offsec forums, you might get something helpful, besides the famous “try harder”.
How many hours of suffering should you endure everyday?
I think I spent over 250 hours in the labs, however the “sufferance” was a sweet pain for me. 🙂
thanks for the very interesting review. Would you be so kind to share which was your enumeration method? for example: 1) nmap top ports 2) nmap full scan TCP & UDP … etc …
I’ve learned that you can never enumerate enough. I usually do a quick scan and afterwards, while I manually focus on each discovered port and service, I do a full TCP port scan in the background.
Quick scan: nmap -sSVC -Pn -vv –open –top-ports 500 -oN box_name_top500.txt box_ip
Full scan: nmap -sSV -Pn –open -p 0-65535 -oN box_name_full.txt box_ip
You can adjust timing if needed with switches such as max-retries, max-rtt-timeout, T (https://nmap.org/book/man-performance.html) .
You will see that you’ll rarely need to scan for UDP ports. If you want, focus on top ports only, scanning for UDP may take forever.
many thanks for your detailed reply and suggestions!
Hey Men !, Congrat. very good experience and sharing.
I have strong networking knowledge and good at linux, windows, and common security concepts. I am meaning to take this course and exam. but a few questions before taking it,
-need for python , ruby, or other?
-need for assembly?
-need for web application pen test concepts?
-lab works are enough to prepare lab test?
thanks a bunch in advance
If you are confident in your current skills, then you are good to go. There is some need for python and assembly, but only at a basic level, so you can learn them on the fly.
You will need a lot of knowledge about web apps and common vulnerabilities but, again, you can learn them during the lab.
The purpose of the certification is not only to pass the exam, but to learn a lot during the process. So don’t be afraid if you lack some skills, the certification will help you improve them.
thanks a lot Daniel for your valuable inputs!!
Congratulations Daniel! Great read. I’ve also attempted to write a review, inspired after you. Hope it helps someone!
How much experience (work and education) would you say is required before starting to study for the OSCP?