Wednesday, February 8, 2017

My Experience with the OSCP

To kick off my blog, I decided I would begin with a review of the coveted Offensive Security Certified Professional certification and corresponding training course, Penetration Testing with Kali Linux.

I have been interested in penetration testing and IT security since college, and have been fortunate enough to get a great deal of exposure to both of these at my current position.  After a fairly negative experience dropping a few hundred dollars on a multiple-choice certification exam, I did a bit of research and stumbled upon Offensive Security’s flagship training course.  While reading several reviews about PWK (Penetration Testing with Kali Linux), it occurred to me that this was the class to take if I wanted to learn the fundamentals of penetration testing and take my experience to the next level.  What set this class/certification apart is its inclusion of a simulated enterprise environment with 50+ vulnerable machines, all waiting to be compromised using methods taught in the course material. Based on reviews I read, It sounded extremely difficult but rewarding, and I couldn’t wait to sign up.

Course Materials

I signed up and waited in anticipation for the materials, and on the morning of my start date I received an email from Offensive Security including links for the following:
  • Videos: Several hours of videos that parallel the course manual, but contain some subtle differences.
  • Course Manual: The course manual comes in a PDF and is over 350 pages long, and is the meat and potatoes of the course.  For a syllabus of course manual content, click here.
  • PWK Virtual Machine: A 32bit VMware image specifically customized for the course by Offensive Security.
  • Lab Connectivity Pack: OpenVPN files required to connect to the lab environment.
  • Student Control Panel: A link to the student control panel which allows you to revert lab machines a specific number of times each day.
  • Windows 7 Lab Machine: Credentials for a lab machine to be used for some of the course exercises.
  • Forums: Directions on accessing the student forums where help can be sought for general questions and hints on breaking into specific lab machines.
  • IRC: Information for accessing the #offsec IRC channel to interact with other students, OSCPs, and Offensive Security staff.
The course content does a great job covering the fundamentals of pen testing methodology and also includes Linux basics like starting services and bash scripting.  The more advanced topics covered are fuzzing, buffer overflows, and exploit modification, which I had no prior knowledge of before taking the class.  However, the material does a great job of explaining these advanced techniques in a simple yet thorough way.

Lab Environment

Without a doubt, the coolest part of this class is the lab environment and the hands-on nature of the experience.  The lab consists of 50ish servers and 3 network segments.  Scattered throughout are little details, clues, and artifacts which make this feel like a living breathing network.  I found myself become addicted to the excitement of compromising the next server, as each bout of post exploitation enumeration would reveal additional information about the network and its residents.  Additionally, the network is shared with other students, so I learned quickly to revert each machine before I began each attack (via the Student Control Panel).  This way I started with a new slate to ensure all services were intact and there were no leftover scripts/files that could be potential spoilers.

As I worked through the course manual and videos, I was running commands against real targets and enumerating real hosts in the labs.  For example, the course material might teach me about an Nmap NSE script which checks for everyone's favorite SMB vulnerability (MS08-067).  I am walked through the process of port scanning all hosts with SMB open, trimming (grepping) that output so it only contains IP addresses, and feeding that into a Nmap NSE scan to identify vulnerable hosts.  Then later when Metasploit is introduced, I am lead through the process of popping a shell on these hosts I identified earlier.

Additionally, I found through repetition, things like file transfers, my enumeration process, privilege escalation, SSH tunneling, all slowly improved as I worked through the labs.  Where I had a hard time initially wrapping my head around tunneling a connection to another network segment or transferring files from my attacking machine to a victim, they became second nature as I performed these techniques in a variety of different situations.

It is worth noting, that in many cases the PWK material introduces you to concepts but a deeper dive is necessary to truly master the techniques.  I found that as I took down all the low hanging fruit (a concept that is a cornerstone of the class), I had many situations where I would get stuck attacking a server for days unable to find a way in.  It usually became necessary to move on to another machine and as I expanded my skill set, I could return to these hosts with new tricks and usually find a way to take them down.  This was especially true of the servers that are well known among students and OSCP holders: Pain, Gh0st, Sufferance, and Humble.  These machines are no doubt the hardest, but the feeling of finally getting that root or system level shell on these after hours of work is pretty amazing.

Reporting

An often overlooked but integral piece of the class is the reporting requirement.  In addition to the exam reporting requirements (which I will discuss in a minute), it is possible to gain 10 extra credit points on the exam by documenting the course exercises and lab machine compromises.  It turns out, that extra 10 points became the difference between pass/fail for me.  Fortunately, I worked on the report template the few weeks leading up to the exam so that all I had to do was add my screenshots of my exam work to the document.  The report ended up being 130 pages, so had I not prepared it in advance, it would have been a nightmare to compile and document everything in the 24 hours after my exam.  Offsec also provides a template which I used heavily and alleviated a lot of work in terms of how to structure the report.  I was able to focus on my content and not stress too much about how everything should by laid out.  The example template can be seen here.   

Exam

After a few lab extensions, 50 something compromised lab machines, and access to all three network segments, I felt I was ready to take on the exam challenge.  The exam has somewhat of a reputation for being very difficult.  It consists of several machines with different point values that must be hacked to gain a certain number of points, all in a 24 hour period.  Then comes reporting for the exam work (and labs/exercises for extra credit if one chooses), which must be done in the 24 hours after the exam.  Additionally, Metasploit is restricted on the exam, so manual exploitation is largely required to add an additional level of difficulty.  From reading various experiences online, it appeared that quite a bit of people found the exam to be very difficult and took several retakes to pass.  I went into the exam prepared for this same fate, but was ok with this as the retake is only $60.

I scheduled my exam date a few weeks after my lab extension ran out, and focused on some areas that I felt were my weak points.  I also worked on tweaking some tools in an effort to automate my enumeration process, as I knew efficiency was key for the exam considering the time constraint.

My exam materials arrived at 7 am, I read through the exam requirements, and I was off and running. I compromised my first server in 2.5 hours, hit a wall for a few hours but ended up compromising my next after a few hours, got a limited shell on another, and by 7pm I was 10 points from passing and hadn't used Metasploit yet.  To my surprise, it looked as if I would pass!  I took a 30-minute break to eat and give my brain some rest.  I had 12 hours remaining and I was sure I could get that last 10 points no problem, but this turned out not to be the case.  10 hours later I had made zero progress.  That's right, 2 hours remained, I had been awake for over 24 hours, was starting to feel crazy, and was dumbfounded that I couldn't get any further on the remaining machines.  I couldn't believe I was this close to passing and was going to fail.  Although my mindset was pretty awful I decided I was going to go on to the bitter end.  In my final hours, I made a last ditch effort to review my enumeration results and something caught my eye that I had overlooked previously.  After a few minutes of research, I had leveraged my Metasploit use to acquire my final shell, which gave me enough points to pass!  I was so mentally exhausted that I didn't do my normal root dance celebration, but more of a sigh of relief that I had finished the challenge.  I then poured over my screenshots to ensure I had all the documentation and proof I needed before my VPN connection to the exam network was severed.

After a few hours of sleep, I awoke and spent several hours polishing my lab/exam report, checking, and rechecking that I met all the requirements as outlined in the exam requirements documentation. By that evening I had submitted my report and then the waiting began.  After a couple days I received the email congratulating me on successfully passing the exam and achieving the OSCP!


Final Thoughts


Taking this class and achieving the certification is definitely one of the hardest things I've ever had to do.  The time commitment was immense and the amount self-study was unreal, but it was totally worth it as I learned quite a bit.  If you are interested in penetration testing and want to take your knowledge to the next level, this is defenitely the course to take.



Resources


Below are several sites that I discovered as I did research on various course topics.  Many of these contain scripts I used frequently or material I referenced often.

Information Gathering:

Privilege Escalation:
Pivoting:

Exploit Writing:

Local File Inclusion / Remote File Inclusion:

SQLi:

BruteForce w/ Burp Suite:

Reverse Shell Cheat Sheet/various shells:

Metasploit Payload Cheat Sheet:

Pen Test Methodology:

Nmap Scripts Index:

Other's Experience w/ OSCP (helpful tools, resources they used):

Password Cracking:

3 comments:

  1. Excellent write-up, Nate. Thanks for the great list of links and resources, too!

    ReplyDelete
    Replies
    1. Glad it was helpful. I recently stared my prep to begin Cracking the Perimeter, so hopefully my review of that won't be too far off... Feel free to reach out if you have any questions or wanted any guidance on the certification. My email is nathandrobb@gmail.com.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete