Thunderson's Journey To The OSCP
Learn about security researcher ThunderSon's journey to the OSCP and get some free bonus learning resource links!
Where I am now, what I am now, it's all thanks to the support of my family. The encouragement I received from taking my first steps into whatever I needed to do came from them. The fights they put me in, the hours long discussions to make the right decisions. Thank you.
Try Harder? What's that?
Before talking about the OSCP, let's talk about Offensive Security's slogan 'Try Harder'. Hang around Offensive Security and you'll hear this a lot. You'll hear it when you are at the edge of losing your sanity. It's at that point you discover that you should be trying harder, when you realize that you can't stop before reaching your goal.
Try harder means that your process is still lacking and you need to enumerate more bits and parts, or that you simply aren't seeing the vulnerability right in front of you.
In the IRC you'll generally hear TRY HARDER a lot even from other folks attempting to take the OSCP, knowing what you're going through and telling you to dig deeper. You're close to that sweet pot, you'll love yourself if you just try harder!
What is the OSCP?
OSCP is one of the golden certifications. Well, honestly, you can see its adoption by simply googling oscp blog and see the difference compared to other certificates.
As the name stands, you're gaining a certification that states that you're a penetration tester. Below are some discussions I had with people about it:
But the exploits are old.
So what? Who said that the exploits need to be the most recent ones for you to learn how to perform penetration testing?
But it's not even replicating a real windows network.
So what? Do you even know the basics to go on and attack a real windows network? How are you planning to begin that network attack?
OSCP isn't there to make a senior penetration tester out of you. The goal is to introduce you to penetration testing by giving you a hands-on lab. You are given a small course (PDF + Videos) to give you a small boost, then left on your own to apply those lessons and to research your way through the vulnerable machines.
Why is the OSCP a golden certification?
You can't grab the OSCP without putting in the time or having enough knowledge in the field. Whenever a recruiter comes face to face with a legitimate OSCP, they know that the person in front of them is up for the task. They know that the person in front of them is willing to put in the time to research and improve on what they already have.
They won't stagnate and let technology pass them by.
Who am I?
I am a computer engineer who enjoys programming and networking, I had the opportunity to take guidance from my brother and see into the world of information security. I started learning 3 years ago about general information security topics, and a year later, I took an internship. I have been employed for 2 years now.
I hold no special certifications. I am part of many discord communities, love to break vulnerable machines and participate in CTFs. You can find some of my write-ups here.
Are You Ready To Take The PWK?
The question I most hear is "what is PWK and how is it different from OSCP?"
PWK is the course and the lab period. OSCP is the certification you sit for after finishing your PWK time. I'd recommend taking the PWK after having basic knowledge about development, networking and information security. Go through some vulnerable machines, e.g. VulnHub, HTB, root-me and OverTheWire Wargames. They would allow you to go into the PWK in a very relaxed manner. This is no longer uncharted territory. In order to pwn any vulnerable machine, you need to follow the basic steps to a pentest. That's exactly what you need in your PWK experience.
What about my PWK experience?
I wake up around 5:30AM and start off around 6AM. I grab 2 hours of lab and then get to work till 5:00-6:00PM. I then get back on my studies till 9:00-10:00PM. On weekends, I'd have a full day break divided between Friday and Sunday. In other times, I'd be found in the lab. I had no social life and that didn't bother me.
Not going to hide it. I had to miss a couple of days. A day or two I was simply not able to do anything. Let it happen, it's your body asking for some time off. Let it have it and don't feel bad about it! Go out and have as much fun as you can!
I started off by reading the PDF and doing the exercises. It took me 6 days overall with the documentation, from there on I went into full destruction mode in the lab. I didn't set myself any expectations on how many machines I needed to pwn per day. That's just not the way to pentest! The goal is simple, learn, learn, learn.
As long as you are learning, you are on the right path.
I took down around 25 machines, I didn't even care about pwning the whole lab. I made sure I grasped the concepts and the methodologies and I had very limited time as I had a conference talk to prepare for. My mentality was my greatest asset. Without it, I'd have been crippled, burned out, you name it. A lot of people go after the OSCP and then get burned out from the process. What would you do then when you're in real engagements, and you suddenly can't handle it anymore?
PWK will teach you how to time manage, how to be mentally prepared, and how to follow a methodology. Time management will help you not go down rabbit holes, focus on the real gems and go after the gold. Being mentally strong will allow you to keep trying harder! It'll be your drive to get something through that pentest. Methodology is key, and when combined with the above 2 assets, makes you an armed beast. Methodology should become an instinct. SMB is open? Great, what shares are open? What access level exists on those shares? And we go from there.
You can start by having a cheatsheet and keeping it around for sanity checks, it is mainly about you knowing how each protocol works and where info can be found.
My PWK Approach
PWK is a network, as seen on the syllabus of the OSCP. Knowing how to tackle it is crucial! A network will be composed of machines, which in turn contain services.
Below is my approach. Doesn't mean it's correct or its golden. That worked for me, you can find what works for you by testing out different approaches. It starts off by checking the surface of attack, and then go after the most fruitful machines.
1- Grab the machines that are on the network. Use a bash script, then nmap, then netdiscover. Use multiple ones to grab everything and with high certainty. Missing a machine or two might hurt you on the long run.
2- Port scan those exact machines. Store those machines in a file and reference it in your scans. Those machines are all alive. Grab all their ports. Do that overnight. When you wake up, you'll be up for a treat.
3- Import your results into msfconsole. Yes msfconsole. It is one of the best data holder and keeper. You'll use it a lot in your real life engagements. You can't use it in the OSCP, but you don't need it as well while doing the exam.
4- You know your services now. Choose whichever you feel like taking down.
5- Deep scan it with scripts and grabbing more details about the services.
6- Attack the services and grab everything you can post-exploitation.
7- Repeat from 4.
How did I prepare for the OSCP exam?
The description below was my second attempt to prepare for the OSCP.
Most people prefer to take a day off, stop studying a week earlier, etc. It's up to the person. For me, I had work the day before, and had mobile training that night. My exam was at 12:00PM on Friday the 1st of February. The only thing I did the day before that contributed to me relaxing was taking a shower. I slept at 12:00AM, woke up around 9:00AM, had my breakfast and read some windows privilege escalation, made sure that my VM is properly working, took a snapshot of it, and was simply preparing for the exam. At 12, I began my exam. It wasn't an exam to me, it was an engagement. I felt no hurry, no stress, no nothing.
I saw myself doing an actual pentest. They hired me to do that. I am not after the points, I am after gaining access and showing Offsec that their network is miserable and weak. I already know that it is, I better show it to them! With that mentality, an hour passed and I had crawled the biggest machine and scanned another one. To give myself a small confidence boost, I attacked the BoF machine. An hour later, it was down. I knew how the process works, I trained for it and I know how to debug any issue that might arise. From there on, I was sliding fast through the machines. I made sure I drank a lot of water to stay hydrated, and to force myself to take those 2 minutes breaks. When I felt hungry, I simply took the break. I didn't plan anything before hand. It was a smooth real life engagement.
11 hours later, I had 80 + 5 points from the lab report, I took a well deserved break at that moment, sharing my success with my friends. I tried for a couple of hours to get those extra point, and then decided to stop so I can relax. I still have a report to make!
Difference Between My 1st & 2nd Attempt?
The main difference was my mentality, I was relaxed, a lot, on my second attempt. I knew I had nothing to fail. I knew I was the pentester they needed.
The first attempt was a bit forced. I was overwhelmed between work, the conference talk I was preparing, and what life serves you. I wasn't relaxed. I was stressed. I couldn't fail the exam, I had to pass it; that was my downfall.
Then, I shared with the community that I failed. I was hugged with warm feelings. The community around us is awesome. I was not shamed. I was encouraged to fail as much as I need. What's stopping me from failing if I'm still learning?
How Did I Prepare For My 2nd Attempt?
After the first attempt, my lab time was over. I didn't need lab time anymore.
From the above-mentioned practice environments, I chose VulnHub, and made a deal with myself to publish a blog per week. I published twice per week and took down over 10 machines. I knew my process was ready, I knew I didn't fluke my first attempt because I was not technically prepared. It was me that was standing between myself and the certification.
Proctoring
Proctoring was a smooth experience. 15 minutes before the exam, the exam taker should ensure that screenconnect works properly on their system and that the webcam is broadcasting properly to the proctor. The proctor guides the taker through a couple of steps and it's done. From there on, the only task is to share with the proctor when breaks are taken. Nothing else.
Before starting, I took some extra steps by letting them know that I live with my family. While doing the exam, whenever I used MSF, I made sure to let them know.
Vulnhub vs HTB
I never played with any other environments, so I'll restrict myself to these two.
VulnHub gives you access to machines, and makes you responsible of handling them. That opens up a lot of doors for you! Fast scanning, crashing unconditionally, doing whatever you feel like doing to that poor machine. Then, documentation is done however one pleases, and could be shared publicly.
HTB, on the other hand, is a competitive platform. If you live in the free lab, it's frustrating to do any type of lengthy scan. Resets are your worst demons. Nonetheless, I did Giddy, a windows machine, to get up my confidence in the windows realm.
Conclusion
This journey was a fun one for me, filled with determination. Despite all of the threats to the certification that keep arising, it is still worth it. It's not all about the OSCP title. It's about the person that comes out of it. It's not a scary experience, most certainly a challenging one. If you are still starting out in the information security field, joining a community is very essential to a good growth. Whether it is on Discord, MatterMost, or Slack, just join and say hi. The community is welcoming.
Similar blogs
https://www.willchatham.com/general/the-unofficial-oscp-faq/
https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob.html?m=1
https://jhalon.github.io/OSCP-Review/
http://justpentest.blogspot.com/2015/11/myOSCPreview.html
Goldmines
http://0xc0ffee.io/blog/OSCP-Goldmine
https://scund00r.com/all/oscp/2018/02/25/passing-oscp.html
https://sushant747.gitbooks.io/total-oscp-guide/
https://backdoorshell.gitbooks.io/oscp-useful-links/content/
https://xapax.gitbooks.io/security/content/
https://github.com/swisskyrepo/PayloadsAllTheThings/
https://chryzsh.gitbooks.io/pentestbook/
Windows
http://www.fuzzysecurity.com/tutorials/16.html
https://medium.com/@rahmatnurfauzi/windows-privilege-escalation-scripts-techniques-30fa37bd194
https://github.com/pentestmonkey/windows-privesc-check
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
http://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html