Offensive Security Certified Professional (OSCP): After the 60 day ordeal

 

Here is a small review/introduction about the Offensive Security course, ”Penetration testing with Kali Linux”. I took the course so I could take better care about the security of the servers I am responsible of. I had some minor security training, but mostly self-learned computer security beforehand and I thought I knew a good deal about computer security. I was so wrong. Course exceeded all my expectations and I really had to work to get the certification! I love challenges, and this challenge was one that didn’t let me down. Oh. did I mention, just the report from the course exercises exceeded over 260 pages!

I did the course on my own time, but that was pretty taxing. I had to work many hours with the course almost every day in those sixty days. Luckily, I have a great family that is understanding. Because of my current work load, doing the course in the work time would not even be possible. Doing stuff that relates to work in your own time is a ’no no’ for most people, and so it is usually for me too, but I saw the course also as a challenge and for testing of skills and for and opportunity to learn many new technical things.

Course material

After the course was booked I received the course material from Offensive Security. It included a .PDF document that had ~300 pages, ~10h worth of videos, Virtual server image (Kali Linux), OpenVPN access to a laboratory network, course panel for use you in the lab environment to manage servers and a personal virtual Windows server that was used for all kinds of test and to develop exploits and doing course exercises. Videos and documents supplemented each other very well. It was interesting to note that all videos and documents had my name and home address watermarked to them. Good way to prevent sharing of those documents! If you’re interested about the synopsy of the course, check out from here:  https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

Contrary to other courses, this course didn’t explain everything for you and you had to seach (a lot!) more information so you would be able to do all the exercises and specially the hacking of the lab netwrok. One of the main points of the course was to get student think differently in front of unknown problem and how to search information related to that unknown problem. ”Helpdesk” was in IRC and Jabber and from there it was easy to ask help with problems from the admins. But…Offensive securitys motto is ’Try harder!”. Whenever asked help from admins and they thought that you haven’t done enought, the answer was ”Try harder!”. It was good, because you first had to really try to solve the problem by yourself and you had to think. That way, the answer was not given in a silver platter  and you had to use your own brains. That schooled you to think differently, to solve problems with only the tools / methods you had available. To think like a hacker!

Tools

OpenVPN (with the supplied Kali VM box) was used to connect to the lab environment and Windows test /debug server. This way you didn’t basicly need you own computer in the course at all. The Kali VM box supplied by Offensive Security, was used in all exercises, in some cases conjunciton with the Windows server in the lab network. I runned the Kali VM in my own small private virtualization environment (every decent hac…computer expert has one, right?) so I had full control and could monitor the virtual host. The tools used in the course were e.g. OpenVAS, nmap, unicornscan, nikto, metasploit, dirbuster, dirb, sqlmap and so forth. The list was long and the previous tools are just examples, but the course didn’t limit users to use only those tools mentioned. I used also some small scripts that I coded myself, basicly mostly scripts that were using the tools mentioned before and about privilege escalations.

Lab network

Lab network consisted of tens of workstations and/or servers that are splitted between several subnets. From a students perspective, it meaned that some of the servers opened access to subnets that you were supposed to hack open and use mad pivoting skills to penetrate those subnets.Subnets are split between public, IT, Dev and Admin networks. Some of the servers were accessible only via another subnet. All information about the servers had to be found by yourself, pretty much only thing that was revealed beforehand was the IP – range of the lab network. The Lab network held Windows, Linux, Unix etc. servers with different OS variations. Some were notably more difficult than others, but all held one similar aspect; The student didn’t know anything about the server beforehand. All had to be throughoutly enumerated by one way or another. I can’t tell the details as I don’t want to spoil, but it is great environment for learning.

Exam

As an experience, The Exam was…”interesting”. Exam was 23 hours and 45 minutes long marathon and you were supposed to penetrate several difficult servers. All servers had different points between 10 to 25 points, totaling of 100 points. Minimum points to pass was 70 points, but you really had to do work for those points. After the exam, you have 24 hours to send your (professional) report about the penetration test in the exam.  The exam is booked via special link and specific exam guide and OpenVPN credentials for exam network are sended just before the exam starts. Oh, there was also limitations against the automated hacking tools like metasploit etc. Each exam also has different randomly selected servers.

Exam is not easy but the course lab network prepares students very well to the exam. By practicing and owning the servers in the lab network, students get experience and their mindset changes so that they start to think and solve problems more effeciently.  Because of limitation against the automated programs, you have to know how to do those automated attacks manually. That is good way to ensure that students really know they way around vulnerabilities and exploits.

My exam started at Thursday, 17:00. I owned and enumerated my first (Windows, 20 points) server at ~18:30. Second server (Linux, 25 points) went down and was enumerated at ~21:00 o’clock. After this my expectations were high and I thought that this exam was really easy, but I was very wrong. Third server (Linux, 25 points) pointed out to be a very difficult for me. Around ~09:00 at Friday I moved against another server after spending almost 12 hours in vain to get root access. I had limited shell, but not full access. Fourth server (Windows, 20 points) went down around ~13:00. Fifth server (Windows, 10 points) went down around ~14:00 and I went back against the third (Linux) server. But I didn’t get it rooted. So when the exam ended, I had 75 points + the points from one unprivileged shell.

After the exam ended at Friday 17:00, I went to sleep for a bit and got up around 21:00. Affter that I made the report for six hours, went bed around 03:00 and got up at ~07:00 Saturday morning. About ~16:30 I sended my exam report, exam notes, 263 pages document about course exercises and a ”big” document from lab network penetration testing.

After that, I spend the (very long) weekend waiting anxiously for the pass/fail email from Offensive Security.

Conclusion

Why security course from the perspective of offensive security? Why hacking and not preventing hackers? Because when you have skills and you know how to think like hacker, you can more effeciently search and prevent possible vulnerabilities from system. When you know how to exploit system, you know how to prevent them from happening. Because of OSCP, you also prove that you are cabable of doing the impossible.

From everything I have read, OSCP course is one of the most demanding computer security courses, if not the most demanding. When other courses mainly deal with learning from theoretical point of view, OSCP is learning by doing and forcing students to understand how attacks and exploits really work. OSCP also forces students to do a lot of personal research. Overall, if you like the technical aspects, want to know how things work and love (hard) challenges, this course if for you.

For me, the course was by far the most interesting that I have ever gone through. Althought from time to time I had to stretch my nerves very, very much, it was definetly worth it. Several times in when I spended hours in a seemingly dead end, I thought that is this worth it and do I really lack the skills needed for this course. But I proved myself and tried harder. Listening to Offensive Security song and chanting ”Try Harder!” I was able to overcome even the most hardest servers (pain, humble, sufferance) in the lab network. I used 60 days on the course, which is pretty fast for OSCP. But, I tried harder, and now I have Offensive Security Certified Professional certification.