OSCP One Month in, First Thoughts

Skip first paragraph if you dont care about my background.

Whenever I read threads about taking certs I always wonder the backgrounds of the people taking it so I thought I would provide it. Currently in my 30's started on a helpdesk in my 20s moved to network engineering primarily worked on firewalls did routing and switching got a bunch of Cisco certs 5+ years was "senior network engineer". Wanted career change moved into a SOC, worked a year there and then took over a security engineer position, primary blue team stuff, implemented SIEMs, incident response products blah blah. Company paid for SANS certifications, was able to knockout GCIA due to my network background pretty easily, GCIH and CEH came after, 7-8 months ago I took GPEN and passed. As for GPEN, this test IMO was very easy if you made an index, I really feel like someone could pass it without doing any labs and not really retaining the information but thats another matter.
_________________

The OSCP contains a PDF document with videos and access to their lab, PDF is like 375 pages. I now fully understand why people complain about the PDF and "lack" of information. The PDF from the very beginning encourages outside research, literally a 50-50% split at minimum. I have no problem with this concept however it is frustrating when trying to learn a concept following the PDF and hitting a wall. For example, the PDF will say "Do X and you will get Y", if you then follow what it says you "Do X and get Z". I was confused at first and spent a large amount of time banging my head against walls re-installing VM's thinking I was missing something, then reading further in the PDF you realize you are supposed to run into these problems and research how to get around them. This isn't really clear and is re-enforced by the try harder method. I think a disclaimer or something saying "not all exercises will work out the box" would alleviate some stress on people. I get that "its a pentest you will always run into walls" but people are used to a study guide so it would save some people headaches if that was reinforced.

After about a week of going all over the place I found a rhythm I liked, my plan was to fully complete all exercises in the PDF first then step into the lab. I had already rooted a couple boxes using metasploit but decided to focus on exercises first. Some of the exercises were very difficult for me and from what I see on OSCP forums they are difficult for everyone. Buffer overflows for example are a totally foreign concept to me in terms of actual coding. From GPEN we did some buffer overflow exercises but they were normally run via metaploit and were more "fire and forget", we didnt use immunity debugger in the GPEN class. I have a very limited background with coding (CS degree but it was years ago), I literally would have to google the syntax for hello world in any programming language but I am doing well with being able to read python which appears to be critical. From what I am seeing in exploit-db and most of the exercises you can do almost anything with python. Any metasploit exploit that I am able to get working I have been trying to find python versions or write my own which will be beneficial for the exam.

I have now finished the PDF with the exception of one buffer overflow exercise which is causing me problems but I am slowly learning the ins and outs of debugging programs which is something I never did previously. I am very excited to get into the labs and start popping more boxes. The most important thing that has helped me is really planning out enumeration scripts and a process. I think time management is critical, when I started messing around with a box Id realize ive spent 3-4 hours running scripts back and forward having to retake notes and it really wastes time. When the exam is X number of machines and you have 24 hours time management is critical.

The last thing I will mention is access to the OSCP forums, in the forums you can post questions and read about others experience with each individual machine, this is good and bad, its bad imo because you could just use the forums to find every single answer to a lab machine, a large number of times someone posts the exact exploit needed to get in or they mention it in the title of a post which is annoying if you want to find out yourself. The good thing about this is if you are stuck or having problems you can go and get hints from the forums that are much more in detail that "try harder". IMO the forums should be a "last resort" and can give you a hint in the right direction, if you do nothing but read all the forum posts I think you will find the exam extremely difficult.

This has kind of become a rambling post but I will be happy to provide more updates or answer any questions that don't break the rules of the OSCP.

Find more posts tagged with

Comments

SteveLavoie

Thanks for the write-up, continue to keep us informed on your progress. OSCP is on my list after my CISSP.

Ertaz

Great feedback. Really puts this in perspective. It will probably help me not rage-throw things in my basement when the exercises don't go as planned.

blackedout

"Exercises don't go as planned" is really the best way to put it. Some exercises are great and really re-enforce what you are learning while others have had me banging my head against a wall. There are also sections in the pdf that would say something like "oh yea nmap is good tool also, google how to use it" its literally that blunt which I think is what is throwing people off. Next week I will provide a writeup of my first week in the labs. Again I cannot stress this enough organization is key, for example I made tons of folders, like I have a folder dedicated to just SMB tools and notepad documents with the syntax already created for enum scripts and the like. I initially was doing it on a tool by tool basis but my nmap folder wouldve been massive so I found for me personally organizing by port was easier, for example I have a folder called like "Webport open" and it has all sorts of tools for enumerating open web interfaces. Its really up to you but I have been doing well like this.

JoJoCal19

Thanks for the writeup and good luck on your journey!

636-555-3226

blackedout wrote: »

As for GPEN, this test IMO was very easy if you made an index, I really feel like someone could pass it without doing any labs and not really retaining the information but thats another matter.

A little off-topic, but I get a bit of a chuckle when I see people mention how easy GIAC tests are. I hear a ton of feedback from people who say SANS/GIAC training & certs are way too overrated because as long as you have a good index you can ace the cert test nearly every single time. I then ask them the most important question of all - if you hadn't created the index and took the test closed-book without any help, would you still have aced it or even passed it? Nearly every single person says there's no chance they would have passed without the index. Now, is that a reflection of how difficult the test is (and how little value it is?), or is it a reflection of how little people have gained from spending so much money on such a promising training program yet don't try to actually learn & retain the material? Just because you can ace the test without knowing the material doesn't mean the training & cert is bad - it just means that you're taking shortcuts and not maximizing the value of the material offered.

GirlyGirl

636-555-3226 wrote: »

A little off-topic, but I get a bit of a chuckle when I see people mention how easy GIAC tests are. I hear a ton of feedback from people who say SANS/GIAC training & certs are way too overrated because as long as you have a good index you can ace the cert test nearly every single time. I then ask them the most important question of all - if you hadn't created the index and took the test closed-book without any help, would you still have aced it or even passed it? Nearly every single person says there's no chance they would have passed without the index. Now, is that a reflection of how difficult the test is (and how little value it is?), or is it a reflection of how little people have gained from spending so much money on such a promising training program yet don't try to actually learn & retain the material? Just because you can ace the test without knowing the material doesn't mean the training & cert is bad - it just means that you're taking shortcuts and not maximizing the value of the material offered.

Best response I have seen in the past 2 years regarding GIAC certs. I will log back in around 2019 and hope I see something that tops it. Unfortunately I have given you (good or bad) rep in the past and not able to give you more rep. Thank you Sir/Ma'am. I nominated you for SANS Moderator.

SaSkiller

Lol, I passed all of my SANS certs (Excluding GREM) without a real index.

Then again I don't advise that.

Great post OP, good luck and looking forward to seeing more updates.

Dr. Fluxx

So many people fall into the same trap when it comes to the OSCP. Ive read almost all of the posts on the OSCP here and on reddit that i can find, and theres one common thread.

People who dont research ahead of time seem to get annoyed at the practices of learning in the OSCP.

It is NOT you typical exam.
I am currently preparing for it instead of jumping in because of the countless stories of those who did who wished they had known a variety of subjects better.

YOu said in your post "People are used to a study guide".

There are many accounts about the OSCP on here that detail this is NOT a traditional study guide and there are a few books outside of the OSCP that one can prepare for...based on your professional background, of course.

Youve fallen into the same exact traps that many do as i have read on here. These are traps in which i am driving to avoid.

It is interesting, however some of the same things you say with regard to what will help in the exam, has been covered by many others who have taken the exam themselves.

This is most reassuring.

My question is, did you research the exam before hand (this web forum, and other blogs)?

I am under the impression that this exam will NOT hold your hand like many other exams do.

blackedout

636-555-3226 wrote: »

A little off-topic, but I get a bit of a chuckle when I see people mention how easy GIAC tests are. I hear a ton of feedback from people who say SANS/GIAC training & certs are way too overrated because as long as you have a good index you can ace the cert test nearly every single time. I then ask them the most important question of all - if you hadn't created the index and took the test closed-book without any help, would you still have aced it or even passed it? Nearly every single person says there's no chance they would have passed without the index. Now, is that a reflection of how difficult the test is (and how little value it is?), or is it a reflection of how little people have gained from spending so much money on such a promising training program yet don't try to actually learn & retain the material? Just because you can ace the test without knowing the material doesn't mean the training & cert is bad - it just means that you're taking shortcuts and not maximizing the value of the material offered.

Just to respond to this I am not knocking SANS in anyway I think their certs and training are fantastic. I fully agree that people can index the hell out of an exam pass it then retain 0 information but you can easily weed out these people in interviews.

In terms of the GPEN, many of the questions were almost definition based, where an index is easily useable. If you compare it to say the GCIA where you are provided ip packet headers or raw pcap info and asked to identify the source port that isnt something you can easily lookup in an index imo. Thats all I was trying to say with that.

"My question is, did you research the exam before hand (this web forum, and other blogs)?"

Indeed I did the section where you say people who dont research get annoyed is why I mentioned my background. I'd say 50% of the reviews complain about study material then the other 50% say its fine get over it. I am just trying to provide some context and after seeing the PDF I understand why people are flustered, myself personally I enjoy the self study so I woudnt say I am annoyed.

Knowing that you will get frustrated coming in can be a benefit instead of banging your head against the wall.

Anyways, I will provide an update over the weekend about my venture into the labs.

TreySong

blackedout wrote: »

Just to respond to this I am not knocking SANS in anyway I think their certs and training are fantastic. I fully agree that people can index the hell out of an exam pass it then retain 0 information but you can easily weed out these people in interviews.

In terms of the GPEN, many of the questions were almost definition based, where an index is easily useable. If you compare it to say the GCIA where you are provided ip packet headers or raw pcap info and asked to identify the source port that isnt something you can easily lookup in an index imo. Thats all I was trying to say with that.

"My question is, did you research the exam before hand (this web forum, and other blogs)?"

Indeed I did the section where you say people who dont research get annoyed is why I mentioned my background. I'd say 50% of the reviews complain about study material then the other 50% say its fine get over it. I am just trying to provide some context and after seeing the PDF I understand why people are flustered, myself personally I enjoy the self study so I woudnt say I am annoyed.

Knowing that you will get frustrated coming in can be a benefit instead of banging your head against the wall.

Anyways, I will provide an update over the weekend about my venture into the labs.

Thanks for the update. I am starting my OSCP journey next weekend on April 23rd. Fingers crossed.

Mefistogr

I am starting my OSCP journey next weekend on April 23rd

Me too..best luck to both of us!!!!!

TreySong

Mefistogr wrote: »

Me too..best luck to both of us!!!!!

Mefistogr.
Let's stay in touch and help each other through this.

Mefistogr

Gladly!!!!

blackedout

Update: So I've had my first week in the labs and i'll go through my initial feelings followed by my current feelings.

Day 1: I was really excited to get into the labs and start hacking boxes, I thought I would run an initial scan of live hosts then pick one IP to focus on and go at it till it was pwned, in my excitement I strayed off and ended up mass scanning different things for hours which gave me a good lesson that I needed to apply going forward, time management.

I started to scan for live hosts, then did a dns port scan to try to find a dns server so I could get some hostnames, I found some DNS servers and was able to use common DNS methods to get more of a list. I was feeling good and accumulating a bunch of information when I realized I hadn't documented anything and I was going all over the place. Deep breath slow down lets get a system going for documenting this stuff. I've been using keepnote to document the course materials so I decided to make a new keepnote with folders corresponding to each IP address, for example if I had a lab machine that was 10.1.1.1 I had a folder called 10.1.1.1 and I put results of nmap scans and information in that folder. The biggest problem I initially had was the overwhelming amount of information and getting sidetracked, I found myself going off on several different machines at the same time pulling all kinds of info and scans running tools without any sense of direction. All of this is on ME, I need to pick a strategy and follow thru with it while meticulously documenting any information I find.

Regroup, I literally started over documenting live hosts and decided to focus on one machine. I picked a random IP address and found alice my first machine. Alice seems to pop up as everyones first machine and its only because its a low ip address, think if your subnet range was 10.6.1.X/24 alice would be like 10.6.1.2, thats why everyone seems to get alice first. In my preparation I made an excel file that I called "Recon/Enum" this excel file has a ton of tabs that correspond to ports. My first tab is a list of precanned nmap scans for tcp and udp ports, after I run those initial scans I can flip to a tab based on what port is open, for example if SMB is open I have a tab with some well known SMB scans, this includes nmap scans, enum4linux syntax, how to get smb versions etc. Basically I took everything from the course material on SMB and I put little one liners in with notes where I can just change a target IP and run the scan. I only made this after hand jamming the inital several days in the lab and realizing I kept looking up the same syntax. My recon excel now has like 20-30 tabs of all sorts of stuff which I actually have found really helpful, this works for me you need to find what works for you.

After enumerating the crap out of alice I was able to find a vulnerability that is well documented and has a metasploit exploit, I was able to pick my payload and exploit alice with metaspolit. Once I got into the box I was also able to just use "get system" to obtain system access and get the proof file. Metasploit is limited in the exam so I decided to research how to do this exploit without metasploit. Researching how to convert exploits for your own use I believe is fundamental to this course. I am learning a crapload about how these exploits actually function and im learning a ton of python, c, and ruby code aswell. After going thru several versions of code and trying exploit after exploit i was able to modify some code found on exploit-db and get a shell without metasploit. After getting the initial shell elevating my privileges on this box was rather simple, manual exploit and system completed for alice.

After alice I picked another IP and began enumerating, this machine only had one port open which I thought was odd but I was also excited because I thought It would be easy pickings. After running all sorts of tools and scripts for this specific port I came to the conclusion that this box is probably accessed via information from another machine. Without providing too much info I really commend the people who have created these labs because throwing in something like this for a machine most people will work on second is great because you really have to think outside the box and not get frustrated.

The third machine I enumerated had a ton of ports open which provided me with another great lesson. I was totally overwhelemed once I enumerated that box, I had OS versions, portocol versions, webpages, ftp client versions literally everything under the sun and I had no idea where to start, I felt very overwhelmed and it was hard to determine if a port was a likely way into the machine or if I was not creating exploits correctly. Makes you really double check work and second guess yourself which I guess is another lesson.

As the first week came to a close I really spent a large amount of time on alice but in the long run I think it was extremely important, I do not have a strong coding background and by having to run other peoples code and find out why things werent compiling I have learned a lot. I think the biggest thing I personally need to do is prevent scope creep, meaning pick one thing and focus on it until it is completed or you have all available information. I really jumped around a bunch and wasted time without documenting stuff but I am excited to get into more boxes.

Sidenote: I am doing my best to not provide specific info about boxes, if anyone feels I am getting too detailed please let me know and I can edit out things, I am just trying to provide some insight.

22306

did you finish the PDF and videos?

TreySong

Thanks Blackout! This is useful info.

blackedout

"Did you finish the PDF and Videos"

Yes I did with the exception of the linux buffer overflow exercise that I could not get working. I was able to do the windows one but couldnt get the linux one working. I plan on finishing it but I wanted to make the most of my lab time and not get hung up on it.

TreySong

blackedout wrote: »

"Did you finish the PDF and Videos"

Yes I did with the exception of the linux buffer overflow exercise that I could not get working. I was able to do the windows one but couldnt get the linux one working. I plan on finishing it but I wanted to make the most of my lab time and not get hung up on it.

When does the lab time start counting? Is it the day your course starts or the day you first log into the lab?

blackedout

The lab time starts counting the second that you get the lab email regardless if you login or not.

Blucodex

TreySong wrote: »

Thanks for the update. I am starting my OSCP journey next weekend on April 23rd. Fingers crossed.

I start the 29th at 5pm. I purchased 90 days of lab time.

TreySong

blackedout wrote: »

The lab time starts counting the second that you get the lab email regardless if you login or not.

Thanks I started midnight last Saturday and it's been counting since.

lynad

Good luck to you, i'm following this post

adrenaline19

Hey, I know what part of Buffer Overflows you are having problems with. I had problems there too. The do it yourself section, right?

You can't finish that exercise with just the videos included. Google buffer overflow problems and find a step by step walkthrough that lists some common mistakes.

If I were you, I'd finish that exercise before getting too deep into the lab. And document everything!

Hornswoggler

Great thread! How did this turn out? Was 90 days enough lab time?