First off a little housekeeping regarding disillusion.us. You’ve no doubt noticed that I’ve been really quiet on the blog the last 6 months or so. I stopped doing g3k plays and other fun things to focus on BsidesOrlando and other career related things. I’m planning to post here more often now that I’ve completed the OSCP. Between BsidesOrlando, SANS, PWK and getting engaged, I haven’t had a lot of free time. Now for the actual review.
So this isn’t the first time I’ve attempted to take PWK. Hell, I even tried to take PWB a few years ago. The thing you have to realize going into PWK is that you have to set aside a fairly large chunk of time. 90 days seems like a long time, but when you have a job, a life and are involved in the community, it gets eaten up quickly. With my first attempt to take the PWB, I wasn’t given a lot of time at work, even though it was a requirement for getting my bonus. I was managing a large chunk of clients across all US time zones mostly by myself, which was quite honestly silly. The second attempt, I won a voucher in a silent auction and I had petitioned my employer to let me take time to work on it, which they said they would and wasn’t true at all. The third time, I just tried to do too much at once, but I really wanted it so I stuck with it and just today I’ve officially passed. I originally took 90 days, but I had to extend the labs for another 30 days due to poor time management. So if you have a busy calendar, whether it be social or professional, make it clear to your employer and loved ones that you will need time to work on this. My wonderful fiancée (who became my fiancée halfway through all this) was completely on board and did a lot of cooking while I worked in the labs. I’d like to take this spot of the post to recognize her, because she was a trooper and a huge support.
The first month of PWK passed me by without as much as looking at the labs. I had the materials from the previous attempt, so in order to prepare for it, I had read all the material and watched the videos ahead of time and I did that again in the first month. When the second month came around, I started working on the exercises and the labs.
The exercises were fairly easy, but I’ve been around the block. Mostly of what was contained in there was a refresher, but I decided to go through all the exercises until after the buffer overflow portion and went straight into the labs. If you’re planning on taking this course, my recommendation is to barrel through the PDF and focus on material you are not familiar with. I spent way too much time mucking around with things I already knew because I didn’t have faith in my ability to pass the test. You see, you get extra points if you submit your lab report alongside of your exam report.
The labs were great. I had a lot of fun hacking things in the lab and puzzling out everything. All in all, I managed to hack into 15 servers over the course of 3 months. I could of spent more time on the labs, in hindsight, but again, time management is key to this class and exam. It was frustrating, and I didn’t hack the more challenging machines, but I learned quite a bit.
OSCP Exam Pt 1
So to prepare for the exam, I read a number of reviews from the last year. The key thing I was reading over is…. time management. Of course, much like my time in the labs, I failed to properly manage my time. I started at 6am, which was a huge mistake first of all. The servers in this part were quite difficult (or so I thought at the time), and I wasn’t focused at all. I bounced around the servers in the exam not really being efficient. I ended up with what I think is about 45 points out of 100, which 70 is needed to pass.
My biggest failures in this attempt was that I didn’t manage my time properly and I didn’t have a good plan. The one I came up with was emulating another reviewer’s second attempt, which was to break up each hour of the 24 hours and focus on one task each hour, including time for eating and naps. I learned that I don’t work like that. I got tunnel vision, decided to stay awake even though I had scheduled a nap and just generally guzzled energy drinks at unhealthy levels. I didn’t even really take detailed notes which caused me to go back and forth re-exploiting or grepping out .bash_history. I burned my Metasploit usage (you only get one) on a machine that I thought was easymode, then fell down the rabbit hole that is Windows privilege escalation. That obviously didn’t work out.
Preparation for second attempt
So I actually didn’t spend a whole lot of time doing practical exercises between attempts. I mostly just read a book (Hacker Playbook V2), worked on how I was going to approach the exam and read my notes over. I ended up speaking to a lot of pentesters (Defcon happened to be in the middle of the two attemps) about their approach and methodology for documentation. From what I gathered, I needed to be a lot more meticulous when taking my notes and when hitting a wall, take a step back and analyze the situation.
OSCP Attempt 2
So instead of putting out a big grand plan for the whole 24 hours, I decided to roll with the punches, but follow the note taking I had decided to do and be sure to not get overwhelmed. The I lucked out with this attempt and got a duplicate lab machine, the one that gave me the most trouble last time. I tried my code from the previous attempt and it didn’t work. I downloaded fresh code, generated shellcode and corrected the code and it immediately worked on the test box. Attempted on the live lab box, which fell immediately and was running as an Administrator. In 45 minutes, I got the box that gave me the most trouble the last attempt and points on the board. Every step I took in this exploitation, I wrote it down on a pad of paper next to my mouse. Used Metasploit to grab the lowest point value server and had it within the next hour. I then wrote up those findings in KeepNote while nmap scans were running so I wouldn’t have to worry about it later. In two hours, I had half of the required points needed to pass and half of the report written. The next several hours were more brutal, the machines were harder to exploit, and the privilege escalation was… interesting. Clocking in at 16 hours at 1am, I had 4 servers owned and 75 points out of 100. I took a break, laid down on the couch and proceeded to sleep through my alarm till about 6:30am. I had every intention to get the last server, but with the limited amount of time left I decided to re-exploit everything in the lab to tighten up the screenshots for every exploitation and escalation. I wrote up the findings from the other two servers from my awesome note taking, created a report template and added everything in. I had the report finished at around 11am, but I had anxiety over sending it. My girlfriend, who went to college like a fancy person peer reviewed it for me and helped clean up my poor writing (Don’t worry Offsec, she’s a sign language interpreter!) and sat on it till about 9pm before sending it off.
I got confirmation of receipt within a few hours and official confirmation of passing this morning!
So to sum it up in bullet points due to my wall of text above and still not having caught up on sleep:
- Come up with a plan that works for you
- Write notes for everything on every step. This works better than doing a thing and then having to go back and remember the thing. (even in the lab)
- Take breaks if you get stuck on something! You never know what your brain is going to realize while not assaulting it with the exam.
- Get a good night’s rest! If you are sleep deprived, your brain will start doing weird things and it will be difficult to do anything.
- Work smarter, not harder. If you can automate any part of the process, you’ll be doing yourself a favor.
- Make time for the labs, they will be the biggest help.
That’s it for distilling that venerable Great Wall of text into bullet points. If you’d like to take the OSCP, I highly recommended it. It’s hard, it’s challenging and it’s worth every second. I have wanted this certification since I was a baby hacker and I’m proud to join the ranks of OSCPs. Next year’s goal is OSCE 🙂