Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
adv ex on 5 january 2024
adv ex on 22 February 2024
adv ex on 22 February 2024
banner Expire 26 April 2024
Rescator cvv and dump shop
banner expire at 13 May

Yale lodge shop
UniCvv
banner Expire 1 April  2021

Review: Offensive Security Certified Professional (OSCP)

ALBERT

TRUSTED VENDOR
Staff member
Joined
Dec 3, 2020
Messages
1,214
During the last 3 months it was more quiet than usual on Hacking Tutorials. In this period less tutorials and articles were publish on Hacking Tutorials but there was a very good reason for that. For the last 3 months I have followed Offensive Security’s Penetration testing with Kali Linux (PWK) course and got certified as OSCP. In this article I will be reviewing the courseware, the labs and the brutal 24 hour exam. We will also look at which prior knowledge would be beneficial during the course and how to get this knowledge. We will conclude this article with some tips and hints that helped me passing the exam.

OSCP courseware and videos
The Penetration testing with Kali Linux courseware contains a PDF file and instruction videos on all subjects. The course covers many different subjects such as passive and active information gathering with many different tools but also writing simple buffer overflows exploits for Windows and Linux and privilege escalation techniques for both operating system. You will also learn about exploiting web applications, perform password attacks, tunnelling and how to use Metasploit. The full course syllabus is available here:

https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

It is helpful if you have prior knowledge of networking basics, scripting/coding and maybe some hacking and enumeration techniques in general when you start the course. Every subject is explained very well in the courseware and starts from basic. However, you really need to learn a lot during this course in a very limited timeframe. Especially when you do this course beside a full time job like most of us. Any prior knowledge will speed up the learning, lower the learning curve and save you some time.

Tips for the OSCP courseware
Follow the courseware first and then start practicing in the labs.
Use additional sources to learn more. A list of great online and offline sources is at the bottom of this article.
Join the offensive security PWK forums and social media and talk to other people. You can learn a lot from other people too, especially when you have little or no practical experience on the subject. InfoSec is often a passion and a way of living so people are often quite nice and willing to share information and educate people who share the same passion (read last paragraph for what questions to ask and what not).
OSCP Labs
The best part of the learning path to OSCP certification are the labs. The OSCP labs contain several networks with over 50 servers to practice your ethical hacking skills on. The operating systems on these hosts vary from Windows XP, Windows 2008 server and Windows 7 to different Linux/Unix based operating systems such as Debian, Ubuntu, CentOS, FreeBSD, Fedora and more. Some operating systems are old (there’s even a Windows 2000 server) and some are very recent like Windows 8.1 The lab also contains several clients performing automated tasks which can be targeted to learn about client side exploitation.

Proof.txt files
The main goal for each machine is to get a shell on the machine with administrator privileges and collect the contents of a proof.txt file on the Desktop. Some machines contain a networksecret.txt file besides the proof file. These machines are configured with a second network adapter which allows you to use the machine as a pivot point and access an otherwise unavailable network. The contents of the network secret files allows you to revert machines in other subnets from the student panel. The OSCP student panel is accessible through the VPN connection and is an interface to revert machines, use Offensive Security’s Crackpot and to (re)schedule your exam.

Root shell
Root shell!

Vulnerable machines
Every host on the lab contains one or more known vulnerabilities, varying from local file inclusions (LFI), backdoors and SQL injection to remote buffer overflows, default passwords and remote file inclusions (RFI). Privilege escalation is often performed through exploiting OS and application level vulnerabilities but also trough misconfigurations such as incorrect user privileges on files and services. After proper enumeration and assessing the vulnerabilities you have to exploit them in order to get a limited user shell, sometimes directly a root shell or information which will lead to any of these. The vulnerabilities together have been setup very well and often you need to exploit a clever a combination of them to get root or administrator access. I must say that Offensive Security has done a great job on setting up these labs.

Metasploit and automated tools
The use of Metasploit is limited during the OSCP examination, although it is advised to get familiar with Metasploit and practice using it on the lab machines. You are allowed to use it on one machine during the exam which is often considered as a lifeline by many people. Personally I’ve often used both ways to exploit vulnerabilities, first manually and then with Metasploit if an exploit module was available. Using automated (commercial) vulnerability scanners, such as Open-VAS, is strictly forbidden on the exam. Using them in the labs would be wasting your learning experience when it comes to enumeration and vulnerability assessment as this part of the penetration test is automated.

Tips for the OSCP labs
The student forums contain a walkthrough written by Offensive Security for machine 71. Follow it to get a clear picture of how to conduct a penetration test from enumeration to privilege escalation and post exploitation.
Learn about the methodology used in the walkthrough, the techniques are less important.
When you’re advancing through the labs, write a simple bash or python script to perform (a part of) the enumeration. This will improve your scripting skills and experience but also save time.
Try to root as many machines as possible because all boxes contribute to your experience and learning process.
Extend your lab time if necessary and possible when you have left a lot of boxes untouched at the end.
You can install your own vulnerable machines for practising or download them elsewhere.
OSCP exam
After going through the courseware and finishing the bigger part of the labs, you might be ready for the horrific 24 hours OSCP certification exam. At the scheduled exam date you will receive new VPN credentials to access the exam network. The exam network consists of 5 machines with a number of points ranging from 10 – 25 in the networks I got. You will need a total of 70 points to pass the exam. Personally I have taken 2 attempts to pass the examination and obtain the OSCP certification.

The most important factors to consider prior to the exam are:

Time management
Avoiding rabbit holes
Make a battle plan which you will stick to during the full length of the exam
OSCP Exam #1
On the first attempt I started at 11 AM and did not have a solid plan and just ran into the exam. In the first 2 hours I managed to get root on the first box. In the 6 hours to follow I rooted the second box. From that moment on everything went downwards and I got lost for hours in what later seemed to be a rabbit hole. At that moment it was impossible to get out of it, also because the tiredness kicked in after 16 hours making it hard to remain focused. I stopped at 3 AM and slept till 08:00.

I got back to the exam at 08:30 and only had 2 hours and 45 minutes left. In that period I got a limited shell on the box I was stuck at the night before and almost rooted a second one but it was too late. The VPN died and I knew I had failed the exam. I have learned a lot from this first failed attempt. I have learned how important time management is and that you really need a strategy to avoid rabbit holes and lose too much time. At the end of this article I will present you with a list of points to consider which really helped me to avoid rabbit holes. I found that avoiding rabbit holes is key in passing the exam on the second attempt.

OSCP Exam #2
The second attempt I’ve started the exam at 3 PM and planned to work till 3 AM and then sleep till early morning. This way I had 2 ‘fresh’ starts for the exam to utilize more productive hours. From the first attempt I knew that exam hours 12 to 16 are worthless. Personally I become too tired and lose too much focus after 12 hours. I also started with the harder exam machines this time. Those are the ones that give 20 or 25 points. In the first 12 hours of the exam of the I managed to get 55 points. I went to sleep at about 5 AM and woke up to continue the exam at 8 AM.

In the hours to follow I managed to get another 40 points. I had a total of 90 points and I knew I had passed the exam. For one box I did not manage to escalate my privilege level to root, but I was fine with that.

OSCP exam report
In the next 24 hours you will be writing a penetration test exam report. The exam manual, which you get at the start of the exam, explains clearly what is required in the report. Make sure you collect this information during the exam in the required format. Prior experience with report writing (lab report for example) will help you a lot at this point. After submitting the lab report I got the following e-mail about 2 days later from Offensive security:

OSCP
OSCP Pass mail!

Tips before the OSCP exam
The following tips will help you before the OSCP exam:

Make a battle plan before the exam which at least contains the following:
Breaks with time, including dinner, lunch and breakfast.
Determine when and for how long you will sleep. Yes, you need to sleep in 24 hours.
How long to work on a single box. Personally I suggest to switch to another box when you are stuck on a box for more than 2 hours.
Which enumeration to perform on every step of the penetration test (at the start and on a low privileged shell).
Finish your lab report for 5 extra points and optionally the course exercises for an additional 5 points. You might need them to reach the 70 points.
Rest before the exam, at least a day is what I would recommend. A fresh and sharp brain at the start of the exam is more important than a few more details covered.

You need to write a penetration test report after the exam. Make sure you know how to write it so you know what information to collect during the exam. The lab report is a great practice for this, use it to learn how to document properly.
 
Top Bottom