Actively doing the OSCP - made this thread to document my journey

Mr.Lo

I see a lot of people on here hoping to take the OSCP at some point in the future. The aim of this thread will be to document the remainder of my journey, in hopes that others will know what to expect. I actually came across another user's OSCP thread on here which inspired me to also document my experience.

I'll start with a little bit about my personal background going into this certification:
I am under 25 y/o and am fortunate enough to currently work in the ITsec field. I do not possess a college degree. I have relied on self teaching, and other certifications in order to get where I am today. Going into this certification, I possessed almost no scripting knowledge. I had pretty decent Linux proficiency, a very solid networking background as well as a strong knowledge of general IT Security practices, by no means expert level though. Ever since hearing about the OSCP, I've been intrigued; to me its allure is mostly attributed to the challenge it presents. Up until the OSCP, getting my CCNA was the hardest thing I've done. I now look back at it and laugh, because so far the OSCP has made me WISH it were half as easy as the CCNA. Everyone is different, but that is my personal opinion.

Signing up for the OSCP:
My OSCP journey began when I quit my Networking job and walked out one day. I wanted to do Security, and decided I'd devote my unemployment time to tackling the OSCP before seeking professional work. I initially signed up for the PWK course in December of 2014, however shortly after I accidentally acquired a job as an Analyst and relocated. This kind of screwed up my studying endeavors, but in the past month I have returned full force to trying to finish this.

Where I stand now in my studies:
-There are lots of different approaches you can take. I opted to first watch all 8 hours of video, and take down detailed notes before tackling the hands on lab guide.
-The lab guide was all smooth sailing until I got to the buffer overflow module. The concepts are much more easily understood than performed. This was my first humbling experience with the OSCP.
-I took a step back after the buffer overflow section, and decided to manufacture a personal victory for myself so I went through the entire 300-400 page lab guide and created a master list of all commands and syntax. I just finished this yesterday, and the next step for me will be pressing onward with the lab exercises. I've opted to skip buffer overflow for now, and return to practice them later (time is money with this cert).

So what have I learned so far?
I really don't even know where to begin, I'll try to keep it brief. I went from possessing almost zero scripting knowledge to being very comfortable writing and using bash scripts, as well as SOME python (this is one thing I'd really like to improve upon). My understanding of the way malware works has gone through the roof. As an intrusion analyst I can honestly say that even though this is a pentesting course, the benefits it has provided me with so far have been invaluable (and I'm not even halfway done). I'm very excited to finish the exercises in the lab guide and eventually hack my way through the lab machines to practice for the test.

Anyway, stay tuned guys. I will post updates as frequently as possible as I progress through the rest of the course. Any other fellow OSCP students please feel free to reach out.

MrAgent

Love seeing these threads. Let us know if you have any questions about the course, as a few of us have gone through it and passed the exam.

NovaHax

Glad to hear you're learning a lot. Don't forget to have fun .

Mr.Lo

Thanks man, I won't hesitate to reach out next time I get stuck.

BlackBeret

Changing jobs really changes priorities. I might have to get back on this soon, especially now that work will pay for it. I just have a few commitments to them first, like Linux+ and GCIA. Maybe I can knock those out in a month or two and get back on PWK.

JollyFrogs

Good luck Mr.Lo, I'm keen to read about your journey!

Mr.Lo

Tonight I had some spare time at work and resumed where I left off in the lab exercises, which was the "customizing and fixing exploits" module.

This module brought back the familiar feeling of deep frustration that I felt during the buffer overflow exercises. In the end though, the offsec forums saved the day by reminding me to stick to my training. Turns out I was overthinking it way too much.

The module presents a couple exploits written in C. The goal was to tweak the existing exploit code, cross compile it, and run it against your target (a software application on a remote host) to get your reverse shell.

As someone who doesn't know C this was initially overwhelming. Swapping out the shellcode and fixing the return address in memory was simple enough, but I found myself way too focused on the size of the buffer, instead of the alignment of it. After endlessly tweaking values to get my buffer to the same amount of bytes as the one used in the videos, and with no success getting a shell, I finally checked the offsec forums which provided great explanations of a few key C code snippets. The forums also reminded me to use my debugger, which I had lazily neglected to use.

After running the target program in my debugger, and sending it the original exploit (appended with my new shellcode and the proper return address in memory) the remaining tweak(s) became instantly clear, and it was only a matter of minutes before I had it working to the point I could receive a shell. Finally getting a shell after hours of frustration felt pretty f'n good and definitely instilled some confidence in me going forward.

Next up for me is the "File Transfers" module. Sounds boring, but I can tell you it actually looks like one of the more interesting modules so far in the course. Not only does offsec teach you the file transfers, but also techniques that can be used to ensure your file transfers safely evade antivirus and firewall detection.

M0CAMB0

Hey, thanks for the posts and look forward to following your journey. I'm in a similar boat as you, currently 24y/o fresh out of school and got a lucky break in the ITsec field, starting my preparations for the OSCP now so gathering as many resources as I can. What did you do to overcome your lack of scripting skills? To me, I feel thats also one of my biggest weaknesses and one which I intend on addressing first.

Mr.Lo

M0CAMB0 wrote: »

Hey, thanks for the posts and look forward to following your journey. I'm in a similar boat as you, currently 24y/o fresh out of school and got a lucky break in the ITsec field, starting my preparations for the OSCP now so gathering as many resources as I can. What did you do to overcome your lack of scripting skills? To me, I feel thats also one of my biggest weaknesses and one which I intend on addressing first.

Great choice man, this cert is the real deal. Honestly, I didn't do much of anything to prepare in terms of my scripting abilities. As someone now relatively fluent in bash scripting, I can tell you that you too will go from not knowing a thing about it to being very comfortable writing your own simple bash scripts from scratch within the first week of going through the materials. The way they teach it will demonstrate how it would be used in the real world, which IMO makes it much easier to pay attention to, and learn.

Python is one thing I wish I were a bit better at going into the course, however its not necessary to get through the course. The course will have you reviewing various languages of code and appending it a lot, which will seem daunting but it surprisingly not bad. You'll find yourself Googling what certain snippets of code are, but thats about it. As long as you can look at code and have a general idea of what its doing you'll be fine. I'd honestly recommend diving right in and starting the course.

M0CAMB0

Mr.Lo wrote: »

Great choice man, this cert is the real deal. Honestly, I didn't do much of anything to prepare in terms of my scripting abilities. As someone now relatively fluent in bash scripting, I can tell you that you too will go from not knowing a thing about it to being very comfortable writing your own simple bash scripts from scratch within the first week of going through the materials. The way they teach it will demonstrate how it would be used in the real world, which IMO makes it much easier to pay attention to, and learn.

Python is one thing I wish I were a bit better at going into the course, however its not necessary to get through the course. The course will have you reviewing various languages of code and appending it a lot, which will seem daunting but it surprisingly not bad. You'll find yourself Googling what certain snippets of code are, but thats about it. As long as you can look at code and have a general idea of what its doing you'll be fine. I'd honestly recommend diving right in and starting the course.

Thanks, for some reason I just have some fear of taking the dive and purchasing it. I just feel that I might just go in way too over my head(background: Fresh out of school IT Sec Degree, 2 months in a job as IT Sec Consultant). I guess I just want to be super prepared, but I think I'll give myself until the end of this weekend to brush up on my coding skills, maybe start developing an arsenal of enumeration scripts along with a developing a plan of attack like others have posted when first being faced with a system.

Mr.Lo

M0CAMB0 wrote: »

Thanks, for some reason I just have some fear of taking the dive and purchasing it. I just feel that I might just go in way too over my head(background: Fresh out of school IT Sec Degree, 2 months in a job as IT Sec Consultant). I guess I just want to be super prepared, but I think I'll give myself until the end of this weekend to brush up on my coding skills, maybe start developing an arsenal of enumeration scripts along with a developing a plan of attack like others have posted when first being faced with a system.

Not a bad idea. I think the main reason people have trouble getting through the course is just the sheer amount of time it requires. Its certainly a battle of attrition. If you've got the time though go for it

NovaHax

M0CAMB0 wrote: »

I just feel that I might just go in way too over my head(background: Fresh out of school IT Sec Degree, 2 months in a job as IT Sec Consultant).

Not necessarily a bad thing. Sometimes "sink or swim" is the best way to learn.

sexion8

NovaHax wrote: »

Sometimes "sink or swim" is the best way to learn.

... And what you learn, is never going to be enough, and sometimes overkill. I miss taking certs but the reality is, the content doesn't apply in the real world. I do pentesting for a living, have been doing so since the late 90s before there was EC-Council, Kali, and a bucketload of companies. When I took the OSCP, I wrote a shell script to run out and do the exam for me in about 3 hours, then spend another hour crossing T's and dotting I's.

Since January of this year, I have performed about 14 penetration tests which is A LOT considering most of my time is spent report writing. I can assure you, nothing I learned in any test prepared me for the reality that: "means nothing at the end of the day." I'd of been better off studying "risk management" and auditing in parallel to already being exposed to information security (systems administration, networking, design, etc). This is not to take away from anyone taking the test... I say: "enjoy it, have fun with it, do the best you can at it..." Don't however think for an iota that what you see on that, and other GPEN like exams is somewhat relevant. I spend more time POST penetration testing formulating responses to likelihoods, and risks of exploitation. Most exploitable (internal and external) vulnerabilities are minimal nowadays, and the vast majority that are exploitable have high likelihoods of crashing systems and services. ... I have more fun social engineering my way into environments.

Mr.Lo

Hey guys, its been a while. Don't want you to think I've given up! I've actually got quite a bit of pressure on me these days as I have an awesome job being dangled in front of me pending the completion of this. A lot has happened since I last updated as well.

I continued inching my way through the lab exercise guide and finished just about all of it, but summer got the best of my attention span and I didn't stay as persistent as I should have. I tried diving into the labs to try comping whatever I could and felt a bit overwhelmed, it was hard for me to piece everything together (aside from enumeration/information gathering etc). So, fast forward to now. I've taken a couple weeks off from work solely to focus on this. My phone is in airplane mode, and I've basically told all my friends to leave me alone until further notice.

I don't plan on taking the actual exam during this two week journey, but rather just to at least get everything documented, and prepare my lab reports. You must document all the required lab guide exercises, as well as your experience in the actual lab environment (which you are supposed to treat as a penetration test). Offsec is flexible in their reporting so I'll be doing each report separately, as well as reviewing the material as I go along to drill it into my head. I'll be updating this thread daily/semi daily from here on out.

ilikeshells

Good luck Mr Lo. Keep at it!

eth0

I am really confused why people talk about OSCP like about something hardest, with 4y professional experience I rooted whole lab (50 hosts) in 1 mo (and I have full time job) . There is nothing special hard on this certificate, and exam is too easy imo. OSCP was my first certificate ever.

veritas_libertas

@eth0: I think this is because many on this forum do not come from a pen testing background. If you do, then it may indeed feel too easy.

soverylost

eth0 wrote: »

I am really confused why people talk about OSCP like about something hardest, with 4y professional experience I rooted whole lab (50 hosts) in 1 mo (and I have full time job) . There is nothing special hard on this certificate, and exam is too easy imo. OSCP was my first certificate ever.

i don't know how to send a private message but i really think i could learn a lot from someone like you and sort of really need the help as i am the exact opposite of you and currently suffering...help?

Vics

soverylost wrote: »

i don't know how to send a private message but i really think i could learn a lot from someone like you and sort of really need the help as i am the exact opposite of you and currently suffering...help?

Try harder, you will learn zero if somebody helps you find the solution. Do you want to learn zero or do you want to learn a lot? Your choice.

soverylost

actually the "try harder" policy should only be invoked under certain conditions. if iv wasted around 2 weeks trying to figure stuff out, then it means that "try harder" is the wrong way to go.

but i do appreciate you trying to keep me on the straight and narrow. and to answer your question, learning by watching/ following steps someone else performs is definitely a thing, so i wouldn't exactly be learning "zero"

Janne4

Hi!
How is it going in the labs, how many machines have you hacked so far?
Or haven't you started with that part yet?

I am deep in the labs now, have done 90 days but only got around 20 machines so I took 30 days more.
Not partically good at this, but learning...

Mr.Lo

Janne4 wrote: »

Hi!
How is it going in the labs, how many machines have you hacked so far?
Or haven't you started with that part yet?

I am deep in the labs now, have done 90 days but only got around 20 machines so I took 30 days more.
Not partically good at this, but learning...

I started the labs a couple months back, when I was going through the material a bit more rigorously. Only rooted a few machines, then got distracted by summer things.

For right now, my main focus is reviewing all of the material and writing up all my reports. Once I complete the documentation part and drill this stuff into my head a bit more I'll be taking some stabs at the the exam as soon as possible while its all still fresh in my head.

Mr.Lo

The documentation/review is going pretty smoothly. Having already gone over most of the material, its all coming back to me and some things are making more sense. At this point I'd like to issue a statement to any people wanting to take this; the exercises and concepts learned really aren't all that bad, however I will say that there are certainly a few exercises that will make you hate your life.

Prime example:
I spent 10 hours yesterday trying to complete the buffer overflow exercise for the vulnserver application, and still haven't figured it out. It's funny, because whenever I get stuck and check the offsec forums (for any exercise) lots of other students say that their biggest problem was overthinking. Although that's definitely not what you want to hear after spending 10 hours in a chair looking at a debugger, its slightly reassuring. I'm confident that I will be able to tackle vulnserver on my next pass, however like I've said before, time is money with this cert and for now I've opted to move on and continue to thoroughly document the rest of the exercises in the lab guide.

Will continue to update in coming days.

Janne4

Ok, a bit of a warning though...the exam itself is 100% practical and all about throwing everything you got (skill wise) against 5 machines to try to root as many of them as possible.
If you don't have much practical experience with pentesting then it will be really really hard.
I would not feel comfortable going in to the exam without having rooted most of the machines in the lab network.
All my previous exams have been 100% theoretical so it has been all about studying but this is something else I think.
There is also the reporting bit, and it is wise to have finished as much of the documentation as possible before the exam, as you do.

eth0

veritas_libertas wrote: »

@eth0: I think this is because many on this forum do not come from a pen testing background. If you do, then it may indeed feel too easy.

But I was pentester for half year before started OSCP, so you know, this is almost nothing as experience.

soverylost wrote: »

actually the "try harder" policy should only be invoked under certain conditions. if iv wasted around 2 weeks trying to figure stuff out, then it means that "try harder" is the wrong way to go.

but i do appreciate you trying to keep me on the straight and narrow. and to answer your question, learning by watching/ following steps someone else performs is definitely a thing, so i wouldn't exactly be learning "zero"

Sorry but hacking is that what you need learn on your own. But you know, you can always think how much you will got then, for example in my country I can have like 2.5-5 * avg country salary as pentester with my experience (almost 1y as pentester, some 3y infosec in total, almost 1y as linux admin)... so just try harder .

BTW, guys my way of learning was just try to hack servers. I don't used any automatic tools (like nessus etc) else that my own scripts, and targets was infrastructure that allow you to hack it. So basically with bug bounty programs. This was also good way to show that I have some knowledge without almost none experience. I am listed on a lot bug bounties thanks pages after some 2 years of self developing that way... also now I have nice stories, about what I have done, and how I figured it out, also I am proud about some of them, and what is most important all was legal, just responsible disclosure without any problematic situation, just don't be kid and don't destroy anything (like removing data, modify data, using some private data to other thing that just show short PoC, don't **** data etc) . Also basically because of this, kids when are able to hack something then do "hacked" pages to show friends and other ****. Real hackers don't in most cases (ideological motives etc). Any way you can't learn infosec in 2-3y, I started when I was teenager, so some dozen years ago, so maybe because of this also everything on OSCP was so easy for me since I have just practical knowledge without learning from any books or courses before.

Janne4 wrote: »

Ok, a bit of a warning though...the exam itself is 100% practical and all about throwing everything you got (skill wise) against 5 machines to try to root as many of them as possible.
If you don't have much practical experience with pentesting then it will be really really hard.
I would not feel comfortable going in to the exam without having rooted most of the machines in the lab network.
All my previous exams have been 100% theoretical so it has been all about studying but this is something else I think.
There is also the reporting bit, and it is wise to have finished as much of the documentation as possible before the exam, as you do.

As above, this is just about thinking . This overflow on exam is nothing, this is about step by step copy paste lol. Exam is boring, there was needed a lot of more skills in lab that on exam. Exam is made in way like "hey there is vulnerability, found me", so a bit stupid . So what I mean, when you have service then for sure there is something in this service, so this is not even like in real pentest...