Hello everyone, a long long while I didn’t posted. I have been really busy with OSCP during almost all 2017. I was coming and going with the lab access and I had to try twice till I was able to got through. I just wanted to share with you my view on this certification and also what you should expect if you are thinking to get into it.
First of all, I have learnt a lot. This make it worthy beyond if you get certified or not.
I started almost one year ago. If you read other reviews you will find people getting the certificate in one month, in three months and also in a couple of them. It was not my case. I started and spent the first month going through the PDF course and videos. I was also solving the exercises in the lab. That helped me on identifying some weak systems and take over them. After that I was a little bit lost because I had lack of ideas when I was facing a box. I did not know where to start when I found 15 ports opened in the same box so I spent another month targeting different systems, sometimes stuck in the same system for one week. You know it is vulnerable, right?, you are good on this, right?, you have to pwn it!. Wrong. You are learning, you are probably not good enough and the system you are targeting can be dependent on other box.
After three months I took a rest because I felt I needed it. Too many concepts, too much frustration but also fully determined to get into it again and give a try to the exam.
After a couple of months I felt strong again and I went for it. I got another month and that month was really clarifying. I was able to get 20 boxes pwnd by the end of the month and I decided to give a try to the exam. I failed. I really tried harder. I tried everything I knew but the key was, I did not know enough. My mindset was not helping me. My mind was trying to find bugs instead of searching for them in exploitdb or any other sources. The first experience with the exam definitely helped me in my second attempt.
I took another rest at this point but I was not wasting my time. I found 23 ways to get a shell in metasploitable 2 and I was able also to pwn metasploitable 3. I also went through the metasploitable course to be more familiar with the tool and I invested a lot of time in privilege escalation. At this point my toolbox was full of new weapons and I got another 15 days in the lab. I got three new boxes pwnd, some of them double pwnd using different exploits and I focused on getting everything from each box I landed in. Exhaustive work is one of the keys. I tried again at the end of the 15 days lab period and this time I passed.
I started at 5PM. In the first five hours I got 45 points, I managed to root one 25 points box and another 20 points one (70 are necessary to pass). I was 25 points away from the thin line which separate the success from the failure. I went to sleep. I could get some hours of good sleep and I came back with 10 hours yet ahead to pwn the 25 points box. 1 hour, 2 hours, 3 hours, 4 hours, OK, I needed to try something at this point even though I only had some insights, good ones, but still I did not have an exact match on the software version for the exploit. I tried, and I got a shell with limited privileges. The escalation demonstrated to be easy in the box so after I got the root shell I breathed deeply and I decided to go for the other two boxes. I managed to root another one in the last 5 hours. It was tough… but it was not finished… still reporting is pending.
After taking a break, I was ready to start the report. I finished with 35 pages report with all the steps I took to root the 4 boxes. 1 AM, I sent the report and time to sleep.
This was my story but probably it is much more important for you the tips you should follow to make your life easier with this certification.
- Focus your efforts in learning all the techniques at the beginning instead of in pwning boxes.
- Do not assume you will know how to do it when you will face it. The devil is in the details.
- Do not try to find a new bug, it is not the aim of the certification, you need to enumerate exhaustively every single port, service and software to get its version and then search for the vulnerabilities with searchsploit
- Do not forget this is penetration with Kali Linux. You can do everything with the preinstalled tools.
- Take your time. Do not put yourself under too much pressure, try to enjoy the path instead of seeing stones, try to treat them as challenges which will make you stronger.
- Beat your frustration will near you to the success.
- Most of the boxes in the labs are there to teach you one or really few aspects of what you have already found in the course pdf and videos. The problem is you will have to figure out which system is there to teach you which technique and that takes plenty of time. Be aware it is not going to be easy.
- Be water my friend… be water. You need to gain lateral thinking. If you can’t delete a file rename it, if you can’t restart a service, restart the system, if you can’t deploy through a manager you got the credentials, go and deploy manually in the folder. Learn to be water
- Detect and train your weak points. You know it, you are not good in everything, train your weakest.
Convenient skills to have before you go into it
- Linux and Windows command line for administrative tasks
- Scripting languages and C
- Administration of the most common services and servers. FTP, HTTP, SMB, Samba, MySQL, MSSQL, PostgreSQL, etc
- Buffer Overflow
- Password Cracking
You can actually get all this knowledge by yourself before to start. It will be really helpful to you.
Regarding the most important references I will give you just a bunch of them but they are essential ones:
- Creating metasploit payloads: https://netsec.ws/?p=331
- Windows priv escalation: http://www.fuzzysecurity.com/tutorials/16.html
- Linux priv escalation: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
What this certificate “tells” about you
Further than the skills you will get, this certificate tells some things about yourself.
- You love the technical side of security
- You (almost) never give up
- You are tougher than a Diamond 🙂
- You really know how the different hacking techniques really work and put them all together to pwnd a misconfigured system.
Probably the main drawback for me could be also understood as an strength but not for me. The use of automated tools is mostly forbidden which force you to go through the hard way. This is good in one sense but not so good in the other one. Let me explain myself. The question is time is gold during an arrangement and that means you need to know automated vulnerability exploiting apart from the manual way. Nobody is cheating you, the certificate is for what it is, the manual and the hard way. How useful it is in the real world is something everybody should assess by himself.
It is just a good starting point, for advanced exploitation you should go through OSCE. Do not expect fancy exploits but simple ones and also no advanced concepts like ROP.
Go for it, try harder.