Offensive Security Certified Professional (OSCP) Experience

Offensive Security’s PWK (Penetration Testing with Kali Linux) is definitely a good way to challenge yourself in the field of cyber security. It’s a course that is purely hands-on with a gruesome 24-hour exam to get certified. You’ll get access to a corporate network created by the Offensive Security team where the goal is to hack machines through penetration testing methodologies. To continue, before even explaining what I went through to achieve this, let me share a little background of myself.

Experiences before getting into PWK

Timeline
2015
  • I finished my bachelor’s degree in Computer Engineering.
  • At this point, I had the following skills rated as:
    • 3 – Could work with it comfortably.
    • 2 – Could work with it with Google’s help.
    • 1 – Could understand the terms and processes.
    • 0 – Nope. Just nope.

» 16 bit Assembly Language – 3
» C/C++ – 2
» Python – 2
» PHP – 0
» Javascript – 0
» Ruby – 0
» Perl – 0
» Bash scripting – 1
» Batch scripting – 1
» Computer Networks – 2
» Visual Basic.NET/C# – 2
» MySQL – 2
» MSSQL – 1
» Linux – 2
» Windows – 3

2016
  • Achieved Microsoft Certified Professional.
  • Achieved Microsoft Certified Technology Specialist in C#.
  • Took the cyber security specialization of the University of Maryland College Park through their Coursera program. The topics included were:
    • Usable Security
    • Cryptography
    • Software Security
    • Hardware Security
    • Capstone (I haven’t finished this yet)
  • At this point, I had the following skills/upgrades because of my work and personal experiences:
    » ARM Assembly – 2
    » 32 bit Assembly – 2
    » PHP – 2
    » Javascript – 2
    » Perl – 1
    » Ruby – 1
  • Decided to pursue a cyber security career path and discovered OSCP.
    » At this point, I was working for a small penetration testing company but wasn’t part of their red team.
    » My responsibilities went to anti-virus evasion for tools which are used by the penetration testers for their assessments.
    » I have set my goal to get OSCP by 2017.
2017
  • Worked as an embedded systems security researcher for a cyber security start-up which specializes in security for IoT devices. I had more exposure on Linux at this point.
  • Worked as a C# developer for vending machines.
  • Worked as a Python developer for IoT devices.

 

PWK Preparation and Registration

Timeline

06/29/17 01:47 AM – Initial Registration through the Offensive Security website.
06/30/17 09:11 PM – Offensive Security asked for more details even though I was using a non-free email so I sent them a copy of my government ID.
06/30/17 10:39 PM – Offensive Security reserved me a seat for July 30, 2017. Take note of the date. I was expecting that I am able to start as soon as possible because I wanted to get on it already. The reason why I was reserved for July 30 was probably because the seats were already full so if you are planning to register for Offensive Security’s PWK with a tight schedule, I suggest you register as early as you can because the seats fill up fast! At this point, my card (UnionBank PH EON) got declined during the payment process because the default limit was only 20,000 Php (~400 USD).
07/03/17 09:20 AM – Went to the bank to have my transaction limit for E-Commerce raised to 65,000 Php (~1300 USD) and the lady said it will be activated within 24 hours.
07/03/17 10:00 AM – Card declined (Was just trying…)
07/03/17 07:00 PM – Card declined (Hmmmm…)
07/03/17 10:00 PM – Card declined (Getting anxious…)
07/03/17 10:30 PM – Offensive Security moved the course date to 08/06/17 because the 72 hour time limit for the payment was over.
07/04/17 11:00 AM – Card declined (What in the world…)
07/04/17 12:00 PM – Went to the bank again to have my transaction limit for everything raised to 65,000 Php and the lady said it will be activated probably by afternoon.
07/04/17 12:20 PM – Card declined (Was just trying again…)
07/04/17 04:00 PM – Card accepted. Confirmed course date 07/30/17. Lucky that my previous slot was still available.

The registration process was a bit inconvenient on my side because of my card so if you are using Unionbank PH’s EON card, I suggest you have your limit for EVERYTHING raised to the estimated course fees so the payment can go through successfully. At this point, I was getting a small feeling of the “Try Harder” phrase of Offensive Security.

Since I still had about a month before the course official starts, I researched a bit and found Kioptrix 1, 2, 3, and 2014 from VulnHub which I downloaded to get a feel of what to expect in the lab. Took me a few days to put down each of them and I estimated taking down one Kioptrix level per week then finally, the course started.

Lab

Timeline

Week 1

  • Got the notes and videos.
  • Printed a hard copy of the 300+ page notes so I can read through it physically.
  • Finished up to chapter 5.

 
Week 2

  • Finished up to chapter 11.

 
Week 3

  • Finished the notes and most of the exercises.

 
Week 4

  • Hacked my first machine named BOB. He was laughing at me but in the end, I would say, “Who’s laughing now BOB?”
  • Hacked another 5 machines including PHOENIX and ALICE
  • Total hacked: 6

 
Week 5

  • Hacked 10 machines including LEFTTURN, BARRY, and BETHANY
  • Total hacked: 16

 
Week 6

  • Hacked 6 machines including BETA, GAMMA, FC4, and SHERLOCK
  • Total hacked: 22

 
Week 7

  • Hacked 4 machines including CORE, GH0ST, and HUMBLE
  • I won’t ever forget the experience with GH0ST, this machine speaks for itself. Glad I didn’t find myself hearing “BOO”.
  • Humble was a fun machine too. My programming experience really helped which led me to get a shell access in just an hour.
  • Total hacked: 26

 
Week 8

  • Hacked 2 machines
  • Had to visit the doctor because I was having health problems. Had to stop coffee at this point and I knew I was going to get slow in the next few weeks because of this.
  • Total hacked: 28

 
Week 9

  • Hacked 4 machines including OBSERVER, PAIN, and SUFFERANCE
  • I didn’t expect to get a fast shell with PAIN as this was one of the most talked about machine in OSCP and pretty much rated to be “Hard”. I managed to get a shell in less than an hour. Maybe because of the previous experiences from other machines.
  • SUFFERANCE was definitely challenging but it opened my eyes to new methods on how to get access.
  • Total hacked: 32

 
Week 10

  • Hacked 4 machines including PEDRO, SLAVE, and MASTER
  • Finished final exercises
  • Total hacked: 36

 
Week 11

  • Hacked 6 machines including EDBMACHINE, NINA, NIKY, JEFF, and CORY
  • Total hacked: 42

 
Week 12

  • Hacked 4 machines
  • Total hacked: 46

 
Week 13

  • Hacked 1 machine
  • Total hacked: 47
  • 10/24/17 – 1st attempt of the exam – Failed
  • 10/27/17 – Lab time ended but extended 15 days for the lab (This included a free exam retake)

 
Week 14

  • Hacked 3 machines
  • Total hacked: 50
  • 11/02/17 – 2nd attempt of the exam – Passed

 

Exam (1st Take)

I took my 1st attempt on the exam last October 24, 2017 at 06:00 AM. The exam was good for 23 hours and 45 minutes plus having another 24 hours to finish the exam report. I told myself “I’m ready” and “I’m going to pass”. This was also the day that my brother was leaving for Japan and I jokingly told him “When you come back, I’ll be an OSCP” with laughter. This was just right after I got my first 25 points. I didn’t expect this to be my first and last machine with a ‘DONE’ label on it. So the schedule went as:

05:20 AM – Woke up and had to freshen up.
06:00 AM – Received the VPN access to the exam network.
07:30 AM – Successfully hacked the 1st machine. Got 25 points.
12:00 NN – Took lunch and getting a bit frustrated. No entry point found for the remaining 4 machines.
12:30 PM – Got back to it.
05:30 PM – Frustrated. Still nothing.
06:00 PM – Got a low privilege shell probably good for 10 points. Confidence boost.
06:30 PM – Had a light dinner.
07:00 PM – Had a nap.
09:00 PM – Woke up and got back to it.
09:30 PM – Everything wasn’t working to the point that I couldn’t even make an echo ‘hello world’ work on my own environment.
01:00 AM – Got so frustrated and I had to give it a rest at this point. Body condition is not capable anymore.
05:45 AM – Woke up and just stared at the clock because I knew I failed then went back to sleep.

When I woke up the next day, I already knew I didn’t pass because the estimated points that I got were only around 40 assuming my lab report was perfect (25 points for the first machine, 10 points for the low privilege shell, and 5 points for the lab report). I met with my girlfriend and a good friend from high school during that same afternoon. I was devastated but all encouragement from friends and family came in so it wasn’t too bad. I embraced my failure and accepted defeat so the next day, I did a reflection. What went wrong? I’ve listed down a lot of things and thought about it so to summarize, here are the factors that led to my downfall:

  1. Scheduling the exam too early
    I am somewhat a night person because most of my clients come from Europe so my usual routine is waking up at 10 or 11 AM and I usually start working after lunch but in some circumstances, I work early too if there are a lot of tasks needed to be done for a client from Australia. This was definitely one of the factors that led to my downfall because 06:00 AM was just too early for me so the game plan for the retake was scheduling the exam at 03:00 PM.
  2. Not enumerating properly
    When I enumerated the exam machines and found some popular ports, I jumped straight right into it and didn’t do a full scan for further reference. This led me to a lot of rabbit holes and when I say rabbit holes, I mean the ones that are very deep that you won’t be able to recover back up. There were machines where I thought I was going in the right way to the point that I was already complicating things. This was the reason why I couldn’t even make my echo ‘hello world’ work because I played with some unicode characters before having a nap and when I woke up, I totally forgot about it. I just realized it when the exam already ended. My game plan for this on the retake exam was not jumping into “hacking” unless all details are written down in my notes. As Abraham Lincoln said “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
  3. Jumping around the machines every 1-3 hours
    This was a very bad method for me because during the exam, I needed to focus, not jump around and believe that I’ll get lucky with something. In this case, the game plan for my retake was creating a specific schedule for each machine. Here’s what I scheduled for:
    03:00 PM – 05:00 PM – Hacking of the 1st machine + start scanning the 2nd machine.
    05:00 PM – 06:00 PM – Hacking of the 2nd machine + start scanning the 3rd machine.
    06:00 PM – 07:00 PM – Pure enumeration of the 3rd machine.
    07:00 PM – 07:30 PM – Dinner.
    07:30 PM – 10:30 PM – Hacking of the 3rd machine + start scanning the 4th machine.
    10:30 PM – 11:30 PM – Pure enumeration of the 4th machine.
    11:30 PM – 12:00 AM – Break.
    12:00 AM – 02:00 AM – Hacking of the 4th machine + start scanning the 5th machine.
    02:00 AM – 06:00 AM – Sleep.
    06:00 AM – 07:00 AM – Pure enumeration of the 5th machine.
    07:00 AM – onwards – Hacking of the 5th machine.
    The decision of what machine to make the 1st, 2nd, 3rd and so on was based on the points. Oh and notice that I labeled more time for the “Hacking” part instead of “Enumerating/Scanning”? What I meant about the “Enumerating/Scanning” part was listing down all versions of the services, grabbing candidate exploits through research and just pure enumeration. The “Hacking” part was not just hacking but it included more enumeration too plus testing the listed candidate exploits. Another thing was since I had the previous exam experience, I knew what to expect with regards to the difficulty hence, the timing of each.
  4. Not following a good methodology
    What do I mean about not following a good methodology? Let’s say I found a web service running through port 80. What’s the first thing that I do? Do I run “dirb” directly with the largest dictionary in Kali? What happens if no directories were found? Do I proceed in using “Nikto”? Check “robots.txt” if it existed? Use the Nmap scripts? I didn’t list down a good methodology in this case which made me forget that I needed to run this test and that test which made the enumeration part very messy. Have a good methodology ready. Hacking the corporate lab network is the best opportunity to develop a good methodology as each machine has a different story.

 

At this point, I had my confidence boosted again. I can do it in my 2nd take. If I fail again, I’d look into where my mistakes went and try to correct it for the 3rd retake and even 4th if I still won’t get it.

Exam (2nd Take)

The 2nd take schedule was November 02, 2017 at 03:00 PM. My brother arrived from Japan November 01, 2017 and I seemingly lost it a bit because I remembered my frustration on the first take especially when I told him that when he comes back, I’ll be an OSCP. Kept calm and ate chocolates that he brought home. Oh the joy.

On the retake day, I woke up around 11 AM and got ready.

02:45 PM – I was getting nervous.
03:00 PM – Received the VPN access to the exam network.
03:45 PM – Successfully hacked the 1st machine.
04:30 PM – Successfully hacked the 2nd machine.
05:30 PM – Successfully hacked the 3rd machine.

At this point, I was jumping with joy because I managed to root 3 machines in just 2 hours and 30 minutes! “I’m surely gonna pass this time” I told myself. Oh boy I was wrong. This became a nightmare shortly. I was just missing 15 points to pass! Well technically, just around 10 points if my lab report was perfect (For the bonus 5 points). I sticked to my game plan especially with the schedule that I created. By 02:00 AM, I was definitely frustrated because I couldn’t get into the 4th machine despite having loads of information. I tried to sleep but couldn’t. Maybe because of the worry that I had for the last 10-15 points!

04:00 AM – Managed to sleep.
05:40 AM – Woke up with a bad toothache.
06:00 AM – Still no luck.
07:00 AM – I was really frustrated and went back to sleep. I knew I was going to fail again.
09:50 AM – Woke up.
10:00 AM – I relaxed and put myself together. Read the exploit that I found in the previous night and I realized something’s ‘off’.
10:10 AM – I got a low privilege shell for the other 25 point machine. I had the right exploit all along. I just didn’t read it correctly the previous night.

At this point, I was overjoyed. Since this was a 25 point machine, a low privilege shell could be worth 10 or maybe 15 points so technically, I was in the 65-70 point range (70 was the passing) without the bonus 5 points and if the lab report is perfect then I’d probably have 70-75 points. I was very tired to continue even though I had sleep so I called it a day and took the proper documentations. By around 1 PM, my internet got cut off. Thank you for the pain that you shower upon your consumers Globe Telecom. I was lucky that I got up at around 10 AM to finish where I left off because if I delayed it, I could have lost hope!

02:00 PM – Managed to sleep again.
02:45 PM – Exam time ended.
04:30 PM – Woke up and thought about working on the report already but still no internet connection from Globe Telecom.
05:30 PM – I decided to finish my report on a coffee shop.
08:00 PM – Got in the coffee shop.
09:00 PM – Too tired to finish the report.
12:00 AM – Started again.
03:00 AM – Finished the report and sent to the Offensive Security challenges committee for evaluation.
03:47 AM – Committee confirmed that the email was received.

By November 05, 2017 at 05:11 AM, I received an email that I passed!

Didn’t expect it to arrive at this day because it was a Sunday! I was overjoyed! So I went to Church that morning too and on my way to Church, I lost my wallet. All my government IDs and bank cards lost in a snap of a finger. What a face palm but no worries, I’m still happy that I achieved OSCP!

By November 22, 2017, got an email about the certificate shipment.

November 25, 2017, the certificate arrived!

The experience was definitely amazing. Lots of things happened during the journey. I met new friends from around the world who were working as security professionals, network engineers, and software developers too. The topics I learned from the training were astounding and not even close to what I expected. The phrase “Try Harder” is very popular in the Offensive Security courses because they are definitely challenging! I’m opting for OSCE probably in late 2018 as long as I finish the book that I ordered from Amazon “The Shellcoder’s Handbook”. Just some final tips for aspiring OSCP’s:

  1. Never run exploits blindly especially from sources that are not trusted. It only takes a few bytes for you to get hacked. Be careful.
  2. If you are planning to extend your lab time, I suggest you take a shot on the exam because if you don’t, extending the lab time will not include a free exam retake. This will definitely give you a feel of how the exam goes and maybe, you could even pass!
  3. Persistence and determination is the key here. It’s definitely okay to fail as long as you learn from the failure that you’ve experienced. The only real failure here is not accepting defeat and not doing anything to correct it.
  4. Before signing up, take time to work on some machines in VulnHub. This will definitely save you a lot of time when the lab starts. If I had the chance to do this all over again, I would have downloaded at least 10-20 VulnHub machines before signing up for PWK.
  5. The forum is a good way to interact with other students and share insights. Oh and what I mean about these insights are them being “cryptic” because you’ll only understand them if you’re in the right track.

 

Some quotes to boost your confidence:
“Believe and succeed”
“Act as though it were impossible to fail”

and finally, my favorite one:
“As you believe, so shall it be done unto you”

7 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *