Tips for an Information Security Analyst/Pentester career - Ep. 67: OSCP path and some considerations - What I did wrong and what I'd change

Last updated: 3/20/2021 - I revamped this post with some more considerations. Additionally, I now have way deeper insights on the OSCP, having attempted it multiple times, and several things have changed in the meantime (I've been a penetration tester for a while, for example). The basic considerations behind this post still hold true, even though I might come up with a new post about it.

I've been studying for my OSCP certification over the last three months.

I've gone silent, because I'm in full OSCP mode and I'm totally absorbed by my study. 

However, I now feel the need, after all this time into the class and being close to the exam, to express some considerations.

I can't reveal too much about the lab machines and the exam, but I can nonetheless give some advice to who's thinking of approaching this certification.

OSCP general considerations

I won't spend a lot of words about what OSCP is and how to achieve it.

Too many people have already talked about this topic way too much for me to further add to it.

I only need to remark the acronym stands for Offensive Security Certified Professional.

For you to achieve this certification, you need to go through the Penetration Testing with Kali Linux (PWK) class.

That's what you need to know about PWK: https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/

As for the OSCP exam, rules are different than the lab, in that they're way stricter (see here: https://support.offensive-security.com/#!oscp-exam-guide.md)

Hands-on tips

• Metasploit can be utilized only once in the exam, so get used to help it in the lab. You can use Metasploit and Meterpreter on a single machine of your choice, while you can freely use msfvenom and multi/handler. Moreover, if your payload doesn't work on a machine, you can't use it anymore in the exam on another machine, so choose your target wisely.
  My take on this is you guys should learn how to exploit machines without it. Yes, you'll go much slower but you'll learn much more. Additionally, I often have better results with manual exploits than with Metasploit modules, as the latter ones work only if specific conditions are met. I found this useful post on this topic that I warmly recommend you to check. The logic behind OSCP exam is to enumerate and recon way more in depth, in order to learn finding and sensing what vulnerable services can be exploited, not to use automated tools with a set-and-forget approach. With that being said, in a real-world engagement you surely wanna use Metasploit and Meterpreter any time you can. OSCP exam goals don't always match with the goals of a real-world pentest.

• You can't even use automated tools such as Nessus, Sqlmap and more, so use them sparingly. Recon is very important. I often found way more information on the machine by analyzing its web directories with Nikto and dirb and I often uncovered vulnerable services like PhpMyAdmin which weren't always listed in the Nmap scan. However, you can use a tool called AutoRecon, which I warmly recommend. Only, don't wait for it to finish its scans before looking at its output, because it can take a while for it to scan five machines.

• THERE MUST BE SOMETHING VULNERABLE: They gave you a certain machine to hack because it can get hacked. Maybe it'll take a while and a bunch of attempts and it'll be a pain in the butt, but IT CAN BE DONE. FIND HOW.

• STUDYING IS MORE IMPORTANT THAN POPPING UP SHELLS: if you don't know how to perform a buffer overflow and you'll need to write a BO exploit in order to hack a machine in the exam, you're gonna have to go back to the drawing board and figure it out. I'm going back over the parts I didn't get right and that way I could perform a win32 buffer overflow. I'm glad because I had initially skipped it when I was struggling with that concept, so this makes me more comfortable with my success chances. As for buffer overflows, I warmly recommend checking this out. Studying gives you the weapons for you to hack. If you don't study, you're like an archer having no arrows.

• DON'T GIVE UP /TRY HARDER: if you fail your first exploit attempt, don't let this hold you back. Try again and again. I'd also add you need to TRY SMARTER. If you see your attempts are leading nowhere, take a break, clear up your mind and consider taking alternative routes. Maybe you're trying it the wrong way, maybe that specific service isn't exploitable, or there are other services running on that machine that could be low-hanging fruits and much easier to exploit. Go back to your recon and try to collect more information about your target. You'll often find you might have overlooked something important because you were one-sidedly blinded by your very stubbornness (yup, I'm guilty, too, Your Honor).

• RESEARCH: someone might have posted useful tips on Twitter or other sources. Additionally, there are some VMs on Vulnhub which are alike some machines in the lab and their walkthroughs can give you a head start. For more info about it, have a look here. Research exploits on exploit-db.com or other sources.

• BE CREATIVE: you need to upload an exploit to a victim machine but it doesn't have an internet connection, so you can't? Upload it from your VM by using scp over SSH. Find another way of getting things done that allows you working around problems.

• KEEP AT IT: OSCP is something you need to do full time.You can't do it over the weekend only. If you're not able to put in a certain number of hours per week, sleep it over, as the financial investment you need to make for it is significant. I actually took a break and I'm between jobs right now, just because I decided what I was doing wasn't worth it and I'd rather study full time. I had a great benefit from it, as I hacked a bunch of VMs manually and I'm starting developing a sense of what services can be vulnerable and how they can get exploited. Additionally, I had some real-world engagements and it helped me to this regard.

• DON'T OVERTHINK IT: Try simple stuff first. Often times, you'll find yourself up with a login screen. Don't feel lost, try simple stuff such as admin/admin or admin/password as credentials, You might immediately think, "It will not work" and give up. Don't do it! You'd be surprised by how often it does, instead. Consider this certification is hands-on and so it tries to resemble a real pentest. In a real-world target, computers are used by people and they do the dumbest stuff ever. Don't immediately rule out the possibility for you to get rewarded by human dumbness. You can almost always rely on it. You can look up default credentials for specific services (like PhpMyAdmin) and try them out. Often times, the sysadmin didn't bother changing the defaults  and you can get in. For example, when you see Tomcat is running on port 8080, try default credentials tomcat/tomcat, as they might often work. If that doesn't work, brute force it with Burp Suite, hydra, medusa or alike tools. If the password is weak and it's in your wordlist, you can get in easily. 

• BE PATIENT BE PATIENT BE PATIENT (Infinite loop): Often times things won't work. I keep a list of failed exploits, so I won't go through them again for a specific machine. I got over 35 failed exploits to achieve a privilege escalation on a Linux box. Don't let it stop you, keep trying and trying until you succeed. The longer the list gets, the better I get at exploring these machines because I start sensing what works and what does not. You need to fail often, increasingly and fast for you to succeed. My list keeps growing and growing and, when I can tick one machine off my list because I hacked it, it feels sooooo good.

• STAY FOCUSED: I always keep an eye on Twitter and I often need to stop looking at it because I'm not finding anything productive in there, even though it can sometimes get you some help. You might surely want to follow the #OSCP hashtag on Twitter and all the most important guys n the security industry.

• LOOK FOR ADVICE ONLY IF YOU NEED: you want to develop a proactive attitude and try all possible alternatives before asking for help. Should you just need it, I find the Offensive Security live chat support very valuable, those guys are very knowledgeable and helpful. Also, check Offensive Security PWK forum. They have chat rooms where you can exchange ideas and tips with other OffSec students about every single machine in the PWK lab environment (you'll need a valid Offensive Security student ID to access them). The forum is moderated and they remove spoilers, so you can't give away too much information in there. I discovered the forum really late in the game, and I mostly exploited my (so far) 34 machines by myself. The forum can be useful and pretty eye-opening sometimes, but I have a couple of caveats for you: (a) you might end up relying too much on it and (b) some jerks in there occasionally post wrong/deceiving tips, so take all their suggestions cum grano salis. Additionally, some folks found some specific machines easier to hack into than other people because they forgot or purposefully failed to revert them, and found those machines were already fully or partly compromised. I know, ticking off a machine that easily off your list feels good, but that doesn't help you for the exam. There's no hand-holding in that environment, so get used to it as soon as you can.

• LOOK FORWARD TO GETTING CHALLENGED: if you love getting challenged, this is the right certification for you. If you're used to, and expect a multiple choice test, go for PenTest+ or CEH but don't expect for the latter ones to add real value to your career.

WHAT I DID WRONG 

• Focusing too much on what I knew (Metasploit and Metepreter). It's a set-and-forget approach but it's no use, if it fails, because you don't know why it did so. Researching what went wrong goes a long way.
  
  
• Getting too discouraged when I didn't understand concepts.
  
  
• Focusing too much on the numbers I was given in the buffer overflow example. They were a mere indication, mine had to be different but, if I didn't test them, I couldn't know if my exploit worked or not. I didn't want to go through the pain of testing and testing, but it can't be avoided. So I started by adding 500 bytes. Too big of a payload, then I tried 450, 430, 420… until I got a shell. It's OK to get stuck but don't get numb and paralyzed by your fear of failing. Fail and so be it. You'll learn way more from it than you'll do when you get it right first.
  
  
• Being too harsh to myself: I tend to think I can do way more than I probably should and I'd like to pwn 20 machines at the same time. Well, I was using Metasploit and hacking 2-3 machines at the same time because they were all the same, but what does it tell you? How to setup RHOST, RPORT, LHOST, LPORT and so on, but nothing on how to locate vulnerable services. Take it easy and you'll find a way, you need to slow your pace down a little bit in order to go faster.

WHAT I'D CHANGE

• Study full time from the start: I pretty much wasted three months. I could do something valuable only in the last period, when I quit my job, but I did way better since then. I could go nowhere when I worked, because I couldn't study the right way. I read about people getting up at 4.30 am to study and then going to work. I don't know whether I can do this, but I'm willing to do it, if I need. Right now, studying full time is the best solution for me.
  
  
• Sign up for PWK over cold months: I don't have air conditioning and heat took a toll on me. It was hard to study when it was really hot and weekends are full of activities I need to perform like mowing the lawn, etc. Sadly you got a life, too. Not so much over the winter in Ohio. When you see nothing but snow outside, you're more motivated to study hard, even because you can't do almost anything outside.
  
  
  
• Sign up earlier: I took a prep class before and it wasn't much worth it, then I got my previous job (which wasn't sadly much better than that, and I'll keep it at it). I got sidetracked, it won't happen again. Go for your dreams and do it as soon as you can.

Wrap up 

OSCP is the de facto pentesting certification standard, even though SANS certifications are very valuable, too.

OSCP is a hands-on exam where you need to hack five machines in 24 hours and then write a report (in the next 24 hours). You need to be persistent and overcome lack of sleep, frustration and lack of mental focus, so it really puts you to the test.

An employer can see it valuable because it might be an indicator of how you deal with real-world stressful engagements.

So, it' s not a box-ticking quiz and no one hands you the answer, you need to work to get it and, by the way, that's what hacking is about.

You read the documentation, you find undocumented exceptions, you do all you can to get it done.

If you consider doing this, stick to a no excuses mindset.

You'll go a long way.