January 21, 2018

OSCP course and exam overview

   There is a good proverb saying: "Later is better than never". Loads of people asking me about my OSCP experience and thoughts, so I decided to share it here. There are plenty of reviews with book/lab/exam details, so I would not copy/paste it. This review will be more about my experience and thoughts. I passed exam in October 2015 using first attempt. I know that exam and course change a lot since that time, but still I hope someone will find my review valuable.


Introduction

   To tell the truth certifications in infosec suck. It is very hard to follow rapid growth in industry and address modern concepts in courses. Before Offensive Security there were no hands-on certification. I find myself this situation quite strange, as vendors check you hands-on skills with bunch of questions. Even if we put aside endless dumps available in Internet, I think practice skills can be evaluated only by practice.


Lab environment

   I decided to take OSCP to challenge and improve my skills and out-of-the-box thinking. This is a self-study entry-level course from OffSec. They don't test your knowledge level when you sign-up for the course. Study will require loads of time and effort from student. I decided to buy my lab for 3 months and owned every machine out there.
   So I started with a book, I solved exercises and put them in my future lab report appendix. Frankly this book is just a good intro in what you will need while owning machines in lab. All basic techniques can be found there. OffSec is not a course, where they will guide you through all machines, it is up to you. They just provide you with some vectors to consider.
   While fighting with lab I struggled a lot. The most frustrating thing for me was that I knew that machine is vulnerable, but can't find where. In real pentest you never know beforehand that you target is actually vulnerable. I was stuck so many times. There was an IRC chat where you can discuss your problems with OffSec stuff. In my time the most common answer was: "Enumerate more". Now I am very thankful for this, as only persistence and suffering will help you to find out the truth. Since that time I know that there is no such a thing as "I tried to hack it for a long time". Patience is really important in our job. Pentest is not a bunch of tricks to try against target, it is more like a proper mindset and joy of solving puzzles.
   During lab time I did not do post-enumeration after rooting the box and it caused me pain when I was sitting in lab with only client-side boxes. I wasted 2 days just to go through all owned boxes to find necessary information to progress further. In lab you can find some neat stuff to play with such as Oracle, small domain environment, various OS versions. You will master privilege escalation, pivoting, trivial AV bypass, client-side exploitation. I improve my Metasploit skills, diving into how it is actually working. Admin network was a pleasure to play with. At the end I spent around 3 days to create full lab report with evidence and planned my exam.

Exam

   As I can't reveal details of exam and loads of things were written in other reviews I will just summarize my wins and fails. So I started exam with buffer overflow machine and got 25 points pretty quickly. Then I got 2 limited shells on other 2 machines. And then I stuck, really stuck. I was sitting from 14-00 till 01-00 with no luck. I felt myself miserable and went for a quick nap with heavy heart. However, at 7-00 I got up and in 2 hours I rooted Linux box for 20 points. I ignored 10 point box as I found worthless to spend time on such a low target. Then in next 2 hours I got rest of 2 machines, finishing 15 minutes before deadline. I started to dance and forgot to submit proof.txt in online system. Luckily I had all screenshots to prove rooting.
   After 2 days I received passing confirmation.

Closing thoughts and critics

   I personally found OSCP as a great entry level challenge. I vote for hands-on testing instead of paper-based exams in all forms. I heard opinions that playing with OSCP lab is not the same as a performing assessment, so it is not relevant for getting pentest job. I will agree with this only in a small thing: here you don't report all these informational bugs/missing best practices. Also you don't care much about environment stability, as you can always revert the machine. But everything else in lab and exam is quite close to real life, also course encourages you to research and study more, improves your personal qualities which will help in developing pentester career.
   When I do hiring, I personally consider OSCP as an advantage. Obviously, getting OSCP will not promote you to senior tester in a moment, but it would be a good base to start building technical career in sphere of legal hacking.