OSCP - Try harder... again.

Mooseboost

My previous lab time slipped away from me. A lot happened in between when I signed up and now, some good and some bad - both in my work life and home life. Everything from role changes to going through the start of a divorce. Now everything is clear and I am ready to go back into it.

I signed up for another 90 days. The lab doesn't feel any different than it did before, so I don't think any of the machines have really changed. On the plus side, I have some real world pentesting experience under my belt now, so hopefully, I can apply what I have learned.

Here we go, round 2!

EANx

Sorry to hear, it seems like every time you try to move ahead, an invisible hand reaches out to yank you back. How you deal with it shows your character and it seems your character is to keep plowing ahead.

HCPS123

EANx is 100 percent right! At the end of the day it's not the cert that defines us, it's the path we choose to get the cert that matters. The cert is just a piece of paper, it's what it represents that's truly important; the hardships, the struggles, the training and skill we needed to get it. Someone can steal that paper from us, but that experience and triumph is ours and ours alone, no one can take it from us. Which is why I ultimately end up pitying those who choose to use ****, because they'll never taste that feeling we get when we finally get the cert.

NEVER give up!!! Keep trying and always aim to do better!!! Know that this forum believes in you and knows you can DO IT!!!!

JoJoCal19

Good luck in your pursuit Mooseboost!

Mooseboost

Thanks everyone for the kind words.

Spent a good bit of time in the lab yesterday. Managed to get two roots out of the way, Alice and Mike. I'm pretty sure I found a vector on a third host, but I will need to play around with the webapp to get my shell going.

Roots: Alice, Mike.

Overall a pretty good start!

jjones2016

Congratulations on the machines dude...Keep at it.

Mooseboost

Rooted Ralph last night. The exploit was simple but required some information in order to succeed. Information that literally was right there, you just had to look. Rooted him and took the dogs out for a walk before it monsoon rained again. The host I thought would be easy is going to be a bit more tricky. I found a writeup that should cover what I need though. Just a matter of doing it. Hoping to keep this pace up.

Roots: Alice, Mike, Ralph.

Mooseboost

What a busy weekend! I took a couple of nights off last week since I will be traveling to Atlanta this week to visit a client. I made up for it this weekend and hit the labs hard. The reward was totally worth it though, 5 new roots and a solid idea of what to do on another one.

The weekend proved to be a learning experience. Do NOT always rely on msfvenom payloads. Sometimes they simply are not the best for the job and will not always result in a stable shell. I keep hearing enumeration echoed from everyone who has been successful in the labs and the exam, this is the true statement. If you don't have a shell, then you haven't enumerated enough. Everything is there, you just have to find it. Record everything you plunder from a box because I can promise you, some of the things you find will come in handy later.

I am hoping the hotels wifi will be good enough to spend a couple of nights in the labs. I am on a roll and don't really want to risk slowing down. I know I won't always be able to slam out roots but I don't want to lose that "rush" that I am feeling!

Roots: Alice, Mike, Ralph, Phoenix, Kraken, Susie, Alpha, Gamma.

LonerVamp

Well on your way! Good job!

Mooseboost

The last week has been crazy. I was in Atlanta visiting a client and then had guests over for the holiday weekend, so my time in the lab was rather limited. That being said, I did manage to get some roots in and finally rooted Bob - a machine I have had a love/hate relationship with since day 1. It turns out I was going down a completely wrong path with him and doing something more complicated than was really needed. Once I change my path I hit a snag with privilege escalation but managed to figure it out. That was a small detail as well, that was fixed by a great blog post I found regarding that particular method.

The more I do the labs, the more of a process I start getting. Enumeration is still something I need to improve on and develop a better flow for. I keep going down rabbit holes due to jumping the gun - seeing something and immediately going for the exploit without finishing my enumeration. This has resulted in more lost hours than anything else in the lab. Enumeration and privilege escalation need a lot more practice for me. Thankfully, there is plenty of that in the lab!

In total so far I have 13 roots with plenty of lab time left. I think I may shoot for my first exam sit down towards the end of June. I hope to have a minimum of 20 hosts down by then.

Roots: Alice, Mike, Ralph, Phoenix, Kraken, Susie, Alpha, Gamma. Beta, Helpdesk, Barry, Kevin, Bob

Moldygr33nb3an

Subscribed. I start June 2nd

H0ncho

good luck! I find it that scheduling time to focus is the most difficult piece.

Mooseboost

Time is definitely a restricting factor. So many other courses and certifications can be done in small chunks - reading a few pages here and there. The OSCP requires a significant time sink - and some days I do struggle to get my lab time in. I think at the moment I have a good balance of lab time vs off time to keep me from getting burned out.

I rooted Mail and Joe today. Mail was relatively simple to get a low priv shell on and I just happened to stumble on on the escalation reading a blog somewhere else. Joe was difficult though and proved to be a thorn in my side. Not because he is overly difficult mind you. The battle with Joe was the first time I have had other students trying to work on the same machine as me. I was already working on Joe though, so I was not going to be defeated! I ended up getting him rooted and escalated before anyone else kicked me off with a revert. Grab my post exploits and scooted out.

I've found two machines now that have IT network access. I got really excited when I found the second network.txt, but it turned out to be another machine with access to IT. I was hoping for the admin network, but alas - not there yet. I have been lucky so far with rooting machines. I have had a few that I have had to come back to (looking at you Bob) but once I got a low priv shell - I was able to escalate within a matter of hours. I really need to work on that though, I know that timely escalation will be critical in the exam. I still have 73 days of lab time to go and 15 roots so far. I think once I hit 20-25 I will schedule my first exam attempt, hopefully in mid June. I doubt I will pass, but it will help me gauge where I am and give me lab time post-failure.

Roots: Alice, Mike, Ralph, Phoenix, Kraken, Susie, Alpha, Gamma. Beta, Helpdesk, Barry, Kevin, Bob, Mail, Joe

JoJoCal19

Awesome progress man! I also had the same thought in mind for when I do the OSCP. Aim for 25-30 machines then make an exam attempt.

Mooseboost

I've managed to keep a pretty good pace. The last week or so has been pretty busy both in the labs and out of the labs. I have a block of time between my old position and my new one. That was a life lesson for sure. I tried to do what I thought was the right thing and give them ample notice since I was working on something that had a deadline coming up in a few weeks. Well, that situation ended up with me being fired the same day. I will never go the far out of my way to give a notice. So now I have a month to really hit the labs. Speaking of dates, my first shot is scheduled for June 11th (Monday). I don't expect to be a first-time pass, but it will really help me identify where my weak areas are. I actually wanted the exam attempt to be late June / early July but their schedule only had one day in June and only weekdays in July. My new job starts July 9th, so I didn't want to stress myself out during the week that much.

The lab is progressing nicely though! I have rooted Pain and Humble, two fo the big four. Pain actually was not that bad. Humble threw me for a loop. The initial shell was pretty difficult but I think the issue was because someone else was hitting the box at the same time. There is a DOS PoC you can do for the exploit and I think they kept using that. The service seemed stuck in a loop. I would revert and it would be fine, then shortly after crash again or act really weird. I finally moved to the second one of them (some boxes have copies) and after a revert everything went smoothly.

I am torn now between trying to get more boxes in the lab versus going back over the boxes I have now and practice being methodically and writing out a report. I haven't done a lab report or the exercises from the PDF this round. I am tempted to go through them. Five points is five points and it is experience with writing the report. I know I need to hit the buffer overflow hard. Right now the plan is to go back and go through the machines I already have (without my notes as much as I can) and write the lab report up. Then go to the buffer overflow till I feel comfortable. Once I do that, I will go through the exercises if there is enough time left. I have a total of 18 hosts (17 lab write-up eligible) so I should have enough different paths to cover the lab guide.

Hopefully things speed up before the lab. Right now I don't have any machines that have taken more than a day or two, but that is still a lot of time per host. Even during the exam, I will probably still have to reference **** sheets and write-ups.

Roots: Alice, Mike, Ralph, Phoenix, Kraken, Susie, Alpha, Gamma, Beta, Barry, Kevin, Helpdesk, Bob, Mail, Joe, Pain, Humble, Core.

IaHawk

Great job, keep it going! I can't wait to start the OSCP journey...definitely on the fall/winter radar!

Mooseboost

The last couple of weeks have been busy and a tad on the crazy side. To give a quick update: I passed!

The exam was a beast. The labs did a good job of preparing me for the exam but I still had to try harder. The exam boxes were a step up in difficulty from the lab machines. After passing the exam, I took some time away since I had an out-of-town friend over. After spending some time at the beach and camping in the mountains, I feel fully recharged now and ready to go back to it.

Whats next? I am not fully confident with that yet. I think for now that I will be focusing on web application and general pentesting before I dive further down any specific rabbit hole. I thought about the OSCE, but right now it doesn't make too much sense for me as a career choice. Before I head down the OSCE path, I need to find a pentesting position and build more of a foundation. Once I have that, I will circle back to the OSCE.

There will be a full review of the OSCP coming shortly. I don't quite have the energy at the moment to give it a proper write-up, but expect something within the next few days!

Thank you to everyone here who has shown support. It means a lot to know that there is a community there to help push you along when you need it.

JoJoCal19

Congrats on the pass Mooseboost!

Mooseboost

The OSCP has been the single most difficult challenge of my professional career. It tested my limits time and time again, pushing me further every time I stepped into the labs. “Try Harder” became a mantra and a phrase to live by. There is nothing in the labs that is impossible. The OSCP labs are designed to be difficult but doable, the difference between failure and success is you. The purpose of the course and the exam is not to teach you about any specific vulnerability or exploit technique, it is about developing methodology and mindset. If you cannot succeed in the OSCP because you cannot try harder, how will you ever be successful in the real world where you can’t buy more lab time with a client who is expecting a thorough engagement? The OSCP will prepare you for dealing with challenges and digging through to find the way. All-in-all, I managed to compromise 43 hosts in 40 days of labtime, including all of the big baddies. About Me:


Prior to the OSCP I had roughly a years worth of pentesting experience. In my career I have dabbled in a bit of everything from network engineering to analyst work, preferring the “Jack of All, Master of None” approach. Having a diversified background benefited me during the course, having been exposed to different technologies. Academic wise, the only offensive course I have completed before was eLearnSecuritys PTS course.


The Course:


The training materials provided by Offensive Security are more than sufficient for getting started in the labs. My recommendation is to go through the PDF and videos together, section by section. If you follow each exercise presented, you will finish the training material will enough to compromise a handful of hosts. There is no particular order that is advised, but you will quickly figure out which services are more complicated and which services will be the easiest foothold. There are some mechanics in the lab machines that you may not see on the exam, so don’t fret if you can’t get those boxes. You will understand more about what that means once you start the lab and run across one of the hosts. I can’t spoil all the fun, can I?


Your lab time is best spent trying to expose yourself to as many boxes as possible. If you struggle more than a day or two on any particular host - move on and come back later. I feel like this is an absolutely critical requirement that I struggled with. The further down the rabbit hole one goes, the harder it becomes to dig yourself out. I spent days on hosts that I later came back to and easily popped. The more time you sink into a particular path, the harder it is to admit you are wrong. No one wants to admit they have wasted hours upon hours going down the opposite side of the highway, but hey - sometimes it happens. Time management is paramount in the course and even more-so in the exam. Set timers for a box and when its up - cycle out to another one.


Speaking of time management and administrative tasks - notes! I used CherryTree to keep track of all the notes about the lab network. I cannot stress enough that you do this from the start. I failed to keep proper notes when I started and because of this, I had to figure out certain hosts again when I circled back to them. Record everything - not just what works. You will kick yourself in the ass later if you don’t. Trust me. My own shoe print is still on my backside.


The standard recommendation for lab time is 90 days and I cannot disagree with that. You can get by with less time if you have some experience. In hindsight, 60 days of lab time would have been more than enough for me. It’s better to be cautious and not have interruptions during your lab. The cost difference is negated by the ROI I think the certification provides. There really isn’t anything that competes with this at the price level. SANS has some amazing training but it is bananas expensive. eLearnSecurity has great training as well for a similar price point but the name recognition is not there and the experience is nowhere near as intense as the OSCP is.


The Exam:


The exam is simply put: a beast. You will sweat and you will curse. Time management is no longer a recommendation but a requirement. You have 24 hours to obtain 70 points (65 points if you did the lab write-up and exercises) and another 24 hours to write the report. One thing that is not often discussed in reviews is the timing. My recommendation is to select a start time in the afternoon. This will give you time to get some rest in between. If you start at 6-9AM, then you don’t have the same benefit as someone who started at 3 PM. The person who started at 3 PM will work till the wee hours of the morning then grab some Zs and hit it again refreshed.


I started my exam at 3 PM and wrapped up with 75 points at 5 AM. One of my mistakes was not taking enough breaks. During the whole time, I only got up a handful of times. I didn’t eat and only drank minimal amounts of water. This is not the way to do it. I repeat, do not do this. You may pass but your body will hate you for a few days after.


In the exam, you will be given five boxes worth a variety of points. You will encounter the following: 25 point box (2), 20 point box (2), 10 point box (1). The order you do them it is entirely up to you. I’ve seen different folks tackle it differently. One of the 25 point boxes will always be a buffer overflow and the majority of people will go for that one first. While doing that box, you should have recon running against all the other hosts. By the time you finish your overflow box, the scans should be complete and you will have a base to go from. I went for the 20 point boxes first and then the 10 point box. Some people go straight for the other 25 point box.


Both of the 20 point boxes fell without too much trouble. I had 65 points within 7 hours and honestly was kicking myself for not having done the lab write-up. I could have walked away right then with enough points if I had. Alas, I didn’t so I had to conquer one more box. This is where things got frustrating for me and I spent the next several hours rolling around in the dirt while howling at the moon. Around 5 AM some wizardry happened and I was able to successfully exploit the 10 point box. I can’t (and won’t) give spoilers to any of the boxes but what kept me from immediately getting this box was a networking issue. I needed something from the box and during the transfer, something kept breaking. I spent over 5 hours banging my head against a bad transfer. On that fateful final transfer, I noticed the size was slightly different than before and behold - what I needed was correct this time.


Overall the exam does a good job of stepping up the difficulty of the lab. In terms of exploit difficulty, you will not find a significant increase in the level of effort but the time restriction adds a new level of stress. You can spend days poking at a machine in the lab. In the exam, you got 23 hours and 45 minutes to own multiple boxes. This puts an enormous pressure on your that will cause minor mistakes to become big mistakes. The exam is absolutely doable if you have taken the time to hone your skills in the lab. Patience and Practice. That’s all that is required.


Conclusion and Whats Next:


Looking back on the experience, I am thankful to have obtained my OSCP certification. It was a humbling experience to see a success where before I had a failure. There is nothing like the feeling of seeing that root prompt after struggling with a box for so long. The mindset I obtained during the course and exam will help me further my studies and career. If the question is Should I do the OSCP? The answer is yes. Always, yes. You don’t have to be an infosec wizard to take this course and be successful. It’s not about experience or intelligence. It’s about drive. If you can drive yourself to never quit, you can become an OSCP. You may require more time than others, but that is OK. Not everyone in the same physics class learns the material at the same rate.


As for whats next, I think I will spend some time focusing on web applications and start participating in bug bounties to help further my skill set. HackTheBox also seems like an interesting place to spend some time learning new things and keeping everything I learned in the OSCP fresh. I will be starting a new position as a threat hunter soon with a new company, so I will have that to focus on for the next bit as well. Certification wise, I have a PTPv4 elite voucher that I need to use so I may try to take a shot at the eCPPT.


Overall, I cannot recommend the OSCP course enough. This concludes my little write-up of my OSCP experience. I could write a formal prep guide but honestly there isn’t anything I could say that someone else hasn’t already said better. Good luck guys and always try harder!

chrisone

Very awesome write up moose! Congrats on the pass! I hope to pass by August! No interest in OSCE? After you take the eCPPT i'd love to hear about your experience and comparison between the two exams. That is if you take eCPPT before I take OSCP lol then I would know first hand the similarities

Mooseboost

@chrisone - Thanks man!

I intend to kick off the eCPPT exam Monday if everything goes according to planning, so hopefully, I can answer that for you fairly soon. As for the OSCE, it definitely is in my field of interest. I would really like to pursue it but I am afraid at my current point, it is beyond what I am capable of. I don't think I am smart enough to tackle it... yet. Who knows though, that may change. If I do go for it, it will definitely take far more prep than I have done for the OSCP.

ottucsak

Thanks for the write-up! Wishing you luck on the eCPPT. It should be a walk in the park, just make sure that your report is awesome and provides enough value for the "customer".

IaHawk

Congrats on the pass. OSCP is next up for me...excited/nervous to get started this fall.

MalwareMike

Awesome write up! Good luck with the bug bounties!

SlickRick

Very nice write-up Mooseboost. The part that I keep reading over and over is the following:

"If the question is Should I do the OSCP? The answer is yes. Always, yes. You don’t have to be an infosec wizard to take this course and be successful. It’s not about experience or intelligence. It’s about drive. If you can drive yourself to never quit, you can become an OSCP. You may require more time than others, but that is OK. Not everyone in the same physics class learns the material at the same rate."

That part along with "Try Harder" definitely keeps me going, as I doubt myself at times during my studying. Good luck on your future endeavors.