My Experience With OSCP Exam

June 11, 2019

OSCP

This year I decided to try OSCP certification. It took a lot of effort but I passed the exam successfully last month.

From what I have seen OSCP and other Offensive Security certifications are fairly unusual - most other popular certifications are really “book” exams, something you can read, memorize, and maybe even cram for. OSCP on the other hand is as hands-on as you can get, and that gives it unique value. When you see “OSCP” next to someone’s title you can tell that that person has real practical hacking skills, and haven’t just read a book on the subject. This is not to say other certs are not valuable, but OSCP in my mind is in a class of its own.

Lots of blog posts have been written on the subject, and a lot of them helped me prepare (thank you to those who wrote them!). Below I’ll share a few random thoughts on how I approached preparation for the exam and what advice I would have given my past self.

Preparing for OSCP starts with the course and continues in the practical lab. The amount of time you spend there depends heavily on your schedule and past experience. I have a fair bit of pentesting and software engineering experience, so I decided to go with 2 months of lab time. My family commitments, however, made it hard to find more than a few hours of lab time every day. In the end I spent about 3 weeks going through the course and completing exercises, and then a little over a month in the lab. It was grueling, and I think I would have benefitted from more time in the lab, so if you have time and finances to extend the lab - take advantage of that.

I feel that ability to work in the lab is the most important part of OSCP, this is where you get you money’s worth. It’s a little counter-intuitive to say that, but to me it’s more important than actually passing the exam - the skills you acquire and practice are what will matter in the long run. A person that learned a lot in the lab and maybe failed the first exam in the end will be better off than the one that didn’t work hard in the lab and passed the exam by some lucky circumstance.

There are 3 areas of preparation that I concentrated on - mental, physical and technical.

Mental

Mental prep for the exam is probably the most important one. When you feel calm and composed you can methodically grind all obstacles down. When you are frustrated and panicking your brain shuts down. Finding vulnerabilities requires patience, attention to detail, and creative thinking - and stress is a killer of these qualities.

Some people complain that the exam systems are harder to exploit than the ones in the lab - I didn’t find that to be the case. That’s not to say the exam was easy - I just found it as hard to do as exploiting machines in the lab. I think the reason why exam seems harder to some is that in the lab you are relaxed and can calmly explore your targets, while during the exam you are stressed and under the gun to meet the deadline, which makes everything more difficult. Practicing calming myself down, and pursuading myself that even failing the test is not a big deal but rather yet another step in my learning helped me stay more relaxed and think more clearly.

The brain gets tired after a while so it is important to remove as many steps requiring mental energy from the exam as possible. Any time you need to write a script, research a code snippet, or look up a piece of information it drains your brain power a little - so doing as many of these things in advance as possible helps free mental energy for actual looking for vulnerabilities. I prepared a lot of scripts for running scan tools, building reverse shells, compiling exploits, and others; put together lists of commonly used code snippets; precompiled some of the exploits; and so on - all of which helped me think less about the operational side of things, and more about my targets.

Another method that helped was switching context and taking mental breaks. It is often recommended that if you hit a wall with one system, or spend an inordinate amount of time on it without progress (e.g. 2+ hours) you should switch to another system. This was very true for me, switching between systems helped keep things fresh and allowed me to take advantage of “unconscious mind”. Some of the breakthroughs that I had occurred when I put the problem I was trying to solve out of my mind completely and concentrated on something else.

Physical

Much has been said about getting enough food, drink and rest during the exam - and it all makes sense. When your body is well nourished you can fire on all cylinders.

Frequent rest is important, so taking a quick break to walk outside, or to lay down to rest definitely helps one recharge. I’ve found that power naps do wonders for giving me an energy boost - as long as I do not sleep for too long and become groggy.

Technical

Here some of the things that I found on the technical side of the equation:

  • Host machine setup. You have to make sure not only that your host machine OS is on the list of supported OSes, but also that it supports camera and can run Java JNLP apps. I was using a Kali VM on a Kali host (yes, I run Kali on Kali, ‘coz that’s how I roll), which is supported - and yet I had to scramble to set up my machine during the exam to get it to run JNLP apps - my Java version was too fresh and had that functionality disabled. In the end installing Iceweasel solved the issue.

  • Types of systems. In the exam you will likely get a mix of Windows and Linux machines, some easier, some harder (which is reflected in the points awarded for each one). The systems I had reminded me a lot of the types of systems in the course and the lab, so don’t expect something completely out of the ordinary. On the other hand some of the machines I had were at the very latest patch levels - in those cases kernel exploits are not an option, you have to look for a vulnerable application or a misconfiguration that you have to take advantage of.

  • Enumeration. It has been said that enumeration is key in the exam and I think that flows from the very nature of this course. We are trying to apply known exploits (with minor modifications) to vulnerable systems - and before you can do that you have to fully understand what exactly you are dealing with. You cannot exploit what you don’t understand. Once you fully understand your target you give your brain enough “food” to chew on, ideas for different things to try start to flow.

  • Curve balls. Of course the exam would be too easy if you could just apply a known exploit and call it a day. So do expect decoys, and vulnerabilities that are real but not fully exploitable. That’s again why enumeration is so crucial - if you have a full picture of the system then you have a list of things that you can try, not just the most obvious, low hanging fruit. On one of the systems during the exam I found a very obvious vulnerability, and yet the last step - overwriting the file that I needed - was not possible. However, with the help of thorough recon I found a misconfiguration that I could combine with this vulnerability to take it in a whole other direction and retrieve a file that allowed me to get shell. So be ready to get creative and combine different vulnerable pieces together.

  • Go from simple to complex solutions. Sometimes the vulnerability that you are looking for may be hiding on the surface so be methodical in trying all ideas, even the ones that seem too easy. Take a step back and think before jumping in. It maybe tempting to start bruteforcing the login - but maybe try a list of known default credentials first? You could start compiling and running kernel exploits, but first see if there is an application installed that should not normally be on the system and that is vulnerable?

  • Weak areas. Much has been said about extra practice for the skills that are your weakest - that rang very true for me during the exam. I knew that my Windows privesc skills needed more work but did not practice them enough - and (of course) got stuck with Windows escalation on 2 systems. If you know that you are weak at something - spend extra time practicing it.

  • Staying organized. Keeping your research, notes, logs, and screenshots organized is absolutely critical. Human brain has a limited bandwidth and things can very easily be missed or forgotten. I found KeepNote invaluable for keeping track of everything - whenever I was investigating a machine I created a node in the document tree for it and created sub-notes for enumeration logs, code snippets, todo lists, and other information. Searching and taking snapshots was very easy from within the tool, and everything you enter is automatically saved. As I gathered evidence I added new ideas to the todo list for each machine and then came back to try them.

  • Documenting your work. Do not cut corners on documenting all your steps, even if it feels that you are stating the obvious. Same goes for screenshots - take plenty, especially the ones that contain output of proof files and i[fp]config (also note that ifconfig may be missing on newer systems - use ip addr in that case). Before you finish the exam re-check that you have captured everything that you need for the report. You will be kicking yourself the next day if some crucial piece of evidence is missing. Overdocumenting seems like an overkill but actually reinforces a valuable skill - if you will be interacting with clients and colleagues in your career you will inevitably need to learn to communicate technical information in a clear and detailed way, with any claims you make backed up by evidence.

  • Tools and resources. The following are the tools and resources that I got the most value out of during the exam and lab (of course lots of others were used as well, but these were the most helpful):

    Enumeration

    • searchsploit - This tool was invaluable during my exam. It helped me find most vulnerabilities that I used. Use it to look up identified software listening on ports, internal software installed on the system, OS components that are installed - everything.
    • nmap - Goes without saying…
    • nikto
    • dirsearch
    • gobuster

    Escalation

    Guides

All in all it was a hard and stressful journey, but a very rewarding one. I’m already starting to miss the lab. :)

Read More

Facebook CTF 2019

June 3, 2019

This is my first time trying Facebook CTF (was it on in previous years?). The platform was not very stable - frequent errors and downtimes, but that did not affect the offline challenges, so no biggie. The challenge quality was top notch, definitely not a beginner level CTF. Thanks for the good times!

Writeup:

matryoshka

Read More

HXP CTF 2018

December 9, 2018

HXP CTF was as great as last year - well done guys! Well organized, went without a hitch, challenges were tough and mentally stimulating. Solved several, came really close on a couple more. No matter how many times you know of exploiting something there is always one more - HXP challenges are great examples of unorthodox approaches to doing things.

Read More

Kaspersky Industrial CTF 2018

November 25, 2018

I have mixed impressions of Kaspersky Industrial CTF - it was unusual to have no live chat, no announcements, no varying degrees of challenge difficulty; the “industrial” nature of the CTF was not reflected in the tasks. On the other hand the challenges were interesting and hard, so it was a great learning experience with lots of variety - from PHP serialization to .Net obfuscation. In any case - time well spent.

Read More

Volga CTF 2018

March 26, 2018

Volga CTF didn’t disappoint - very smoothly run, and the challenges were pretty inventive and quite complex. Great job organizers!

Read More

Sharif CTF 2018

February 4, 2018

Challenges in Sharif CTF were a good mix of different levels of difficulty. It didn’t help that for about 6 or 7 hours the site went offline due to some IP blacklisting issue and was hard to reach from outside Iran. Lesson learned: download offline challenges early in order to avoid twiddling thumbs during possible outages.

Read More

SECCON Online CTF 2017

December 11, 2017

SECCON CTF didn’t disappoint this year either - lots of interesting challenges of all levels of complexity, all running without a hitch. A good brain workout!

Read More

HXP 2017

November 19, 2017

Some very interesting and challenging tasks in HXP CTF. A well organized and managed event. Thanks HXP, I had a lot of fun (and stress :smile:)!

Read More

Pwn2Win 2017

October 21, 2017

Pwn2Win was in interesting event - ran pretty smoothly, challeges were … challenging :smile: and the admins were responsive. It’s the first event that I saw that uses NIZK for scoring, should be a good way to cut down on questions about scoring reliability and fairness. Thanks for the great competition and learning experience!

Read More

FLARE-ON 2017

October 17, 2017

FLARE-ON 2017 was very rewarding - what a great opportunity to sharpen reverse engineering skills! I ran out of time in the middle of the last challenge but the whole thing was still totally worth it. Big thanks to the organizers - I’m tooking forward to trying it again next year!

Read More

HackIT CTF 2017

August 28, 2017

HackIT ran on August 25-27 in Harkiv, Ukraine. Lots of challenging tasks, most of them well done. Some stabilty issues, but organizers were on the Telegram channel and corrected problems as they came up. Thanks for the fun event!

Read More

RCTF 2017

May 23, 2017

RCTF is a fairly new event, however the quaity of challenges was surprisingly high, as was the overall organization. All in all - a fun competition.

Read More

PlaidCTF 2017

April 23, 2017

No shortage of tough challenges in PlaidCTF… Overall a very impressive competition, no wonder it’s considered to be one of the top CTF events. I guess mature CTFs all had enough time to polish their UIs and gain enough experience to make sure their events go smoothly and with few hiccups.

Read More

ASIS CTF 2017 Quals

April 10, 2017

ASIS CTF Quals was organized very well. Sleek site, well-designed challenges, and organizers responding in a timely manner on chat. I was impressed! As usual - lots to learn and plenty of problems to agonize over… :smile:

Read More

VolgaCTF 2017 Quals

March 27, 2017

Organizers did a great job with VolgaCTF Quals, you can tell that they have been doing this for several years. Things were very well set up and thought through, and most of it went without a hitch. Some of the online challenges were kind of slow, but the admins seemed to be responsive to requests for help and fixed challenges fairly quickly when they went down. I had a great time and learned a lot.

Read More

0CTF 2017 Quals

March 19, 2017

0CTF was a tough event. What does not kill me makes me stronger! :smile: Not to mention it’s a great way to gain lots of practical knowledge fast…

Read More

Boston Key Party CTF 2017

February 27, 2017

Just took part in a very challenging Boston Key Party CTF. Although I solved just one problem, the competition made me take an in depth look at seveal areas I have not dealt with before. All in all a great opportunity to expand my knowledge!

Read More

Alex CTF 2017 Writeups

February 7, 2017

Challenges in Alex CTF seemed easier than the ones in some of the other CTFs I have seen and the 3 days to complete them was pretty generous. That’s the best way of doing it, I think - when stress is lower you can think more creatively and come up with higher quality solutions. :smile:

Read More