OSCP Review or: How I learned to Stop Worrying and Love the Enumeration

/x90 out of 5.

Bot Loves Coffee
, in 26 July 2017

24 hours of being bent over a keyboard, 4 Rockstar energy drinks and two microwaveable chicken-fried rices later, I’m proud have been awarded my Offensive Security Certified Professional certification, AKA a “hacks real decent” badge.

But as much as I love a good self-congratulation, this post isn’t just to brag (as much as I’d love to be indulged). I’m hoping to break down the content of the course in this article. The highs, the lows, and the level you’ll be expected to be at should you decide to take the course yourself.

The Class

After signing up for the Penetration Testing With Kali Linux Course, you receive quite a bit of material:

As tempting as it might be to just jump into the labs, fire up nmap and Metasploit and see how many boxes you can pop, I highly recommend starting with the ‘academic’ part of the course to get full value out of the material and avoid as much frustration as possible when you get to the labs.

Course Material

The pdf has 18 of chapters, each broken down into several sections. It begins from the ground up, explaining the fundamental technical skills required to complete the course (and, by the same coin, successfully complete a penetration test) and touches on general techniques used in penetration testing.

I personally found the written material to be decent. It wasn’t riveting, but was concise and kept my attention. I would start each module by watching the videos associated with it, giving me a quick “primer” on the material. After that, I would read the corresponding PDF material more carefully, while taking notes. While Offensive Security is brief in some parts of the material they cover, they thankfully link to other useful resources. For the student with spotty experience in certain areas that might be considered common in the IT field, reading up on these references are invaluable in making sure you understand the main idea of the module and aren’t seriously lacking in foundational knowledge. I found this a great way to provide information useful to more experienced IT professionals while giving folks newer to the field (like me) resources to get up to speed where necessary. For example I’m a software developer and data scientist by training, and my knowledge of SMB was spotty. For that section, I read up on every resource possible. For the web app exploitation section, I barely read any of the documentation because that’s what I do all day everyday.

A common critique of the course is that the vulnerabilities covered are “too old” and therefore not useful. Personally, I found that Offensive Security was almost never trying to teach a specific technique, but imbue in the student a methodology that would remain flexible and effective regardless of the technology in use. That is to say, it doesn’t matter that you won’t be able to get root using memodipper on many modern machines. The point is you understand that taking the time to enumerate the linux kernel version in use on the target machine and searching Exploit DB for vulnerabilities is a step that absolutely can’t be skipped. Those looking for silver bullets won’t find them here, but in my opinion nearly any “modern exploit” quickly become old-hat. It’s this natural cycle of exploitation and patching that leads to interesting work for researchers and keeping pentesters and hackers on their toes.

Another pointer I would suggest here is to do all the exercises in the PDF as you run into them. A full write-up of all exercises (along with a write-up of exploiting 10 lab machines) can give you up to five bonus points on the exam. Whether you need it or not, both the act of doing the exercises and writing them up are excellent preparation, and going into the exam later with these writeups done will be a confidence booster.

I particularly recommend doing them as you run into them in the academic part of the course because it reinforces the concepts you’re learning in the text and videos. As things get particularly technical, it’s easy for your eyes to glaze over and feel like you’re “making progress” just because you’re further in the course material than you were when you started. This doesn’t imply that the material has gotten through to you, however. If you can do the exercises without referencing the material you just “read”, you’re in great shape. If you find yourself trying to copy and paste code snippets out of the PDF, a little more drilling is required before you move on. I cannot overstate how important the fundamentals are in this course. Without a working intuition for the basics, you’ll never be able to move onto the creative application that forms the cornerstone of your growth through this course.

Even if just learning about the ins-and-outs for specific techniques isn’t enough motivation for you, you’ll find they help you a lot in the lab. Believe me, you’ll want help in the labs.

One more note here: At least in the version of the PDF and videos I received, it appeared that the content between the two had started to drift apart a bit. Certain command line syntax, for example, might be modified in one compared to the other, with one seeming to represent an old version of the class materials. This wasn’t super common and didn’t make my time with the material much harder, but it could be a timesuck in places if you aren’t paying attention. I was lucky enough that my employer gave me a week to focus exclusively on working through the academic material on the exam, so I was pretty fresh for all of this and had gone through all of the material and completed all the exercises in about four days. If you’re doing this before or after working at your full-time job, I could see it taking around two weeks to do right.

The labs

The shining jewel of the Penetration Testing With Kali Linux exam is easily the lab. The lab network contains around 50 different hosts, each vulnerable to exploitation. Beyond knowing that getting access to each machine is possible, you’re not given many more leads than that. Some machines require previous access to other machines in order to pivot to the new machines. Some machines are not initially unlocked, but secrets that unlock the other networks can also be found on a vulnerable machines filesystem.

And that’s it.

This is where a lot of self direction is required to succeed in the course. Confidence sky-high after finishing the course material, your first 5-10 boxes will likely take next to zero effort. A brief port scan, googling some vulnerabilities, and you’ve loaded up a Metasploit module and gotten SYSTEM/root/a buzz.

‘Wow!’ You might think, naively. ‘This course is way easier than everybody said. I must be some kind of hacking prodigy, this course will be a piece of cake!’

You will be wrong.

Poking at boxes will seem to become less productive. The low-hanging fruit is pretty much gone. Every click-to-exploit vulnerability you know from Metasploit has been used. Now what? In my opinion, this is where the rubber meets the road in terms of learning the skills required. Mostly you just choose a target machine and sit with it for a while. You find what services are listening, and you explore their version. If that doesn’t yield a vulnerability, then you have to start exploring the service. Can I access files on this SMB server unauthenticated? Are there any hidden directories on the web server with applications beyond what I see on the front page? Did I not actually do a full port scan (that means UDP too, you cretin!) and miss something obvious?

The answer will often be yes. And finding this out after banging your head against the wall will make you a better pentester. You’ll constantly find that when you’re stuck, there’s some assumption you’re making that’s unfounded. If you check your premises, you find the gap. For example, if you assume “I already looked through the web server, there’s nothing there” without having looked at the source code of index.html or robots.txt of the page, you might lose hours to that failed premise. In my opinion, that’s good! This will help you learn to add “check robots.txt and source code of the page” to your inner checklist when you find an open web server. This is true for all sorts of services you find.

Better yet, you’ll start scripting the things you do most often so you don’t have to do them again. As good as you might be at keeping a checklist, and well-written script will save you tons of time by letting you know with confidence you’ve enumerated a certain part of a host.

After awhile of this (somewhat painful) set of learning experiences, I began to develop a “sense” of where to look on servers to find flaws. Even when there was no immediately obvious instant exploit, I had an idea of “usual suspects” based on open services. Once again, boxes started to fall easily and machines that had left me scratching my head now looked like low-hanging fruit. At this point, I felt ready to take a swing at the exam. I had root access to around 30 machines at this point. Some people do as few as 15 before taking the exam, and some make sure they’ve rooted all 50. Many people who’ve completed the certification have commented on the development of the “sense” being what really matters for passing the exam, and I agree with them. There’s no magic number.

While I would’ve loved to keep playing in the lab indefinitely and making sure I exploited every box, I didn’t want to keep paying for lab access. Furthermore, studying for the course was a huge drain on my weekends, and my girlfriend was getting tired of me saying “Yeah hon, that sounds fun! I gotta study today, though. Next time?” three times a week. So for the sake of my relationship and reclaiming some of my free time, I scheduled my exam date.

At this point, I had already completed my lab writeups as well as my exercises. But make sure you read Offensive Security’s notes here! I forgot to capture certain screenshots that were absolutely necessary for documentation and ended up spending my last study days running through all the boxes I had exploited from the top to make sure my lab writeup would be accepted.

This was a pain. Don’t be like me. Read the documentation early. You’ll thank me later. Also, the “rules” change. I found out the writeups and lab exercises only counted for 5 points (as opposed to the previous 10) a couple hours before my exam started. This wouldn’t have been the case if my exam had been scheduled a week earlier. My growing stress ulcer was psyched for that late-stage development, but the rest of me would have preferred I stay abreast of this kind of thing.

The Exam

The exam is pretty intense. You will receive an email from Offensive Security with an exam guide and VPN access to an exam network. This exam network has a variety of machines that need to be compromised within 24 hours. The constraint here isn’t so much that the machines are really difficult - if you’ve gone beyond the low-hanging fruit in the labs, you will have seen items of similar difficulty.

The biggest thing is the time constraint. In the labs, you have the ability to get frustrated with something, leave it alone for a week, and see it with fresh eyes and get root where you couldn’t before. No such luck here. To get through this, you’ll want to have your enumeration down to a science and have a solid bag of tricks. Personally, I had explained to my housemates and girlfriend beforehand not to bother me for 24 hours. I had a ludicrous amount of caffeine prepared (coffee? Red Bull? Monsters? Pick your pleasure). You definitely don’t want to have any other obligations during this time period!

I would also recommend going for the most difficult boxes first. The buffer overflow is going to be time consuming, and writing a custom exploit requires precision. Do. This. First. It will take a while, but it will take a whole lot longer if you try to do it after exhausting yourself on the other machines.

Beyond that, I recommend sticking to a schedule you set for yourself before the exam starts. I had been keeping up with the Offensive Security twitter, and someone who had recently completed their OSCP showed a schedule they had made with the iOS app Timer Free. This allows you to specify how long you plan to spend on each target host before moving on, and schedules breaks in advance. Without this, it’s easy to just forget to take breaks. Or sink hours and hours into what you’re certain must be the road to root while completely missing low hanging fruit on another target. It keeps you honest, and I would recommend some kind of timer/scheduling strongly.

The biggest mistake I made on my exam was eschewing the four hours I had given myself for sleep. I was certain I was minutes away from root access to the machine I was working on, so I just skipped sleep completely. This didn’t earn me any more points, but it did make the next day of reporting much more painful than it had to be and added about 3 existential crises to my evening.

The Report

After finishing your exam, you have an additional 24 hours to fill out the report. This involves documenting the vulnerabilities you discovered on each host, as well as a step by step path to exploiting them. This means screenshots as well! I took a completely indiscriminate amount of screenshots throughout the exam. I didn’t sort them at all, so i was searching through a huge amount of material trying to find screenshots I knew I had taken. I wish I would’ve taken the time to name them and place them into folders relevant to their host as I went.

This also will help you to, at a glance, determine whether you got all the screenshots you needed before you lose lab access. Trust me, you don’t want to pull off an awesome exploit only to miss getting full points because you documented your steps poorly.

Keep the writing professional as well. You will definitely be tired from your last night of work, but that’s no excuse to skip the spellcheck. Offensive Security is judging you by your value as a penetration test. A penetration tester who can’t professionally and concisely convey security concepts to a client won’t last long in the field, and Offensive Security keeps this in mind when determining a pass or fail.

The Results

Fortunately, I only had to bite my nails for around a day before I got my results. Slightly less than 24 hours before I submitted my exam results, I had an answer in my inbox. Which is good, because I’d been refreshing my inbox constantly for 12 hours and it was beginning to become a nervous tic.

I can’t describe how happy I was to have completed the course. I will say I punched my desk in excitement and literally screamed in the office, which definitely worried my boss. But after that much work being put into something, knowing you didn’t blow it is pretty sweet.

Am I ready?

I’d certainly recommend this course to friends interested in picking up security. The course material is pretty cheap (as far as industry standard goes) for around a grand. The material is excellent, and there’s no better place to cut your teeth than the labs.

Personally I had been in the security industry only very briefly before taking the course. I was a somewhat experienced python developer, which made the scripting in the course easy to follow. I’d recommend someone taking the course at least be familiar with scripting in some language, and know your way around the command line. If you’re the type of person who sticks to the GUI because you don’t like looking up commands, the course would be pretty painful.

If you want to get a taste of what the course is like before committing yourself, I’d recommend trying to exploit some vulnerable VMs from . Building Vulnerable VM CTF challenges is easily one of the weirdest and coolest subcultures I’ve seen in security, and it’s incredible what you can learn from these challenges absolutely for free! The creators only want to know you’re learning and having fun with them, and if you find the experience somewhat frustrating, very challenging and highly addicting, you’ll likely feel the same way about the Penetration Testing with Kali Linux course. I’d definitely suggest Troll as an excellent VM to start with. It’s part of a series, and each of them is more irritating (and yet, more satisfying?) than the last. It was made by a previous OSCP student attempting to capture/mock the feelings of frustration students commonly feel.

Just keep in mind, it’s actually pretty hard. So hard that Offensive Security even put out this raggae-flavored song in celebration of how hard it is. Real weird.

What’s next?

Kali Linux Revealed is looking interesting. I don’t think it’ll be extremely difficult, but knowing more about the architecture I’m using for pentesting should make me better at my job. Beyond that, I’m going to spend some time sharpening my C. I edited a bit of it here and there for different exploits during the course, but I definitely wouldn’t know how to develop those exploits myself. I’ll need to improve my low-level development skills to do original exploit research.