A Digression: The Offensive Security Certified Professional (OSCP) — Part 2 of 3

#offsec #pentest #training #tryharder

I want to try harder and earn my OSCP! What should I do?

Well, this part of the review is meant for you!

How Much Did the Author Know Before Taking the OSCP?

Unlike most people who took the OSCP, I took it knowingly that my fundamentals were not good. After all, my background prior to my current job (as of writing) was in Physics. It suffices to suggest that my foundation simply was not there.

The price to pay was that I suffered for two weeks just trying to go through the course notes and pick up basics. While I picked up some Linux command line knowledge through OvertheWire, I was simply not good enough.

However, self-awareness is often the first step to a compensation in performance. Because I know I was wholly inadequate, I decided to take this as a journey. With a full ninety days of laboratory time, it was easy to ride the waves and try to learn as much as I could, with the anticipation that I would probably fail the first examination.

On hindsight, if I had to recommend people what they should know before going for the OSCP, the following would be helpful:

  • Linux command line and Windows command line knowledge
  • Competency in a favoured scripting language: Python is preferred
  • Some network basics (TCP/IP, UDP)

Everything else you need is covered in the course. However, it will be an extremely hard slog. Hence, we also recommend an extreme appetite for sufferance and capacity for pain. You’ll repeatedly be humbled in the course of learning, but what is learning if you do not feel enlightened?

Is it REALLY an entry-level course?

It is probably the course to do to be introduced to the world of penetration testing.

This used to be called “Penetration Testing with BackTrack”, and in those days, this course was marketed as an entry-level course. While this is true, the world of penetration testing is not entry-level. To understand this, the next question should guide you.

What Will You Learn While Going for the OSCP?

Most of my knowledge about computers probably came from the OSCP. Penetration testing requires the student to:

  • be familiar with different environments — there are different objectives, configurations and set-ups.
  • think creatively
  • think systematically
  • try harder. 🙂

The first is probably what demands lots of explanation. Because today’s systems are complex, some of the research that an OSCP student will encounter:

  • What are network services? What kinds of network services exist? How can they be interacted with, and what information can we enumerate from them?
    • Common ones: file-sharing (SMB, FTP, NFS), monitoring (SNMP), mail (SMTP, IMAP, POP3), web services (HTTP/HTTPS).
    • Sometimes we may encounter services we have never seen before. We must have a toolkit to learn about network services. Wireshark is a standard tool for network analysis
  • How do users interact with systems? How do the users’ insecure practices lead to exploitation opportunity?
    • Default accounts with default credentials. (E.g. anonymous FTP)
    • Granting excessive permissions (think providing read/write access when sharing files, instead of only read access)
    • Using weak browsers, giving rise to client-side attacks. (E.g. the Aurora exploit)
  • How is the Windows and Linux file system organised? Default files? How are some basic operations performed?
  • How can misconfigurations happen? How can these be exploited? (There are too many kinds of misconfigurations — these can cover entire chapters of a pentester’s guide.)

You will also learn how to think creatively. “Abuse” is a common word in the world of the penetration tester. Can certain misconfigurations be abused to escalate privileges? Can unintended ways of interacting with web applications result in arbitrary code execution? And because investigating “abuse” cases is far more diverse than “proper use cases”, it is probably a whole field of creativity. We think of bypasses, misconfigurations, loopholes and other exploits.

You will also learn how to think systematically. To be an effective penetration tester, one must be able to put down, in writing, the process from the start point to the objective. Otherwise, we cannot communicate to customers who engage us to advise them on how their systems should be better secured. Clear documentation cannot be over-emphasised — a client who does not understand the penetration test report  is a client’s time you have wasted, and a penetration test that cannot be acted upon, which is also a waste of the pentester’s time.

The best is saved for last, of course. The spirit of trying harder. Because I was so new, I failed far more often than I succeeded. These range from scratching one’s head over “null pointer exceptions” (happens frequently with exploits written in C) to falling through rabbit holes (enumerating, enumerating, enumerating, and getting tunnel vision). There is plenty of learning, sleepless nights, burnt weekends and perhaps, waking up at 3 in the middle of the night because you thought you had an idea on rooting a lab machine, only to realise, oops, it doesn’t quite work.

The short answer is: you learn far more than you bargained.

How many Days of Lab?

As many as it takes to learn whatever the lab has to offer. Do not only focus on “flags”. Focus on learning.

I am a blue-teamer. Is it worthwhile to learn offensive techniques?

For learning, yes. A common task a blue-teamer is asked to do is hardening. What happens when servers are not adequately hardened? Some of the exploits one can find in the labs.

What do you recommend to try outside of the labs?

There are too many resources to recommend, so let me give some samplings.

HackTheBox: great. Some are CTF boxes, but you’ll learn something, generally. Has the added bonus of Windows machines.

VulnHub: great. Google “OSCP-like vulnhub VMs” for practice machines. I personally think, though, they border a little on the “easy” side.

Pentestit: good, though I haven’t really dabbled too much in this one. It resembles a corporate environment, which allows you to practise techniques such as passing-the-hash, port forwarding.

How was the exam?

First of all, I must say that the OSCP examination is one of the very few examinations I thoroughly enjoyed. This sounds odd, but let me explain.

First up, the examination is 24-hours long, from the comfort of your own home. There are a number of deliberately vulnerable machines where the student needs to break into and prove his or her control over the machines.

On my first attempt (which I failed gloriously), I thought I would write a strict timetable, partition three to four hours per machine, and I should be good to go. It was not to be. Instead of retreating, I fell into tunnel vision, and predictably, I flunked the first time. At that time, I also knew, mentally, I had zero fortitude to survive a twenty-four exam. I turned up a zombie somewhere down the halfway mark. Terrible!

There were some friends I knew who heard twenty-four hours, and they did not even want to take the examination anymore! At that time, though, for me, the only thought was, “Well, since I’ve already got here, there is nothing left to lose. Let’s try harder.”

Another attempt went, and I bit the dust, once again. This time, it was not so much because I had completely zero fortitude. I could survive the exam, but I just lacked a proper methodology. I still fell into tunnel vision problems. I would enumerate aimlessly, only to realise that I got nowhere, lost in the examination labyrinth.

But I still wouldn’t give up. 🙂

It was only up to the fourth exam that I managed to do it! In fact, I managed to get my minimum score in 10 hours, this time! I was over the moon when I managed to fit enough objectives after 10 hours, because it meant a rite of passage. I could claim to have tried harder!!!

The strategy that worked: rotate frequently, take as many breaks. There is no need for very much snacks; but hydration is extremely important. Stretch, walk, do whatever it takes to avoid being cramped in the seat for long. And if one set an exam strategy, STICK TO IT!!!

The examinations also hold a significant memory, because I remembered being happy that I was also learning on the exam. The nature of the exam is such that it is unpredictable, there are no “past-year reference materials”, no “model answers”, and all one has is experience. And experience comes from sufferance from failure.

Each examination trial felt like meeting the sensei, armed with sword in hand, in the hope I could land a strike on the sensei. It felt like a duel. A game… and I felt far more productive on the examination days than working on the labs. Somehow, the examination mood here is uplifting, one where you feel like you’re taking on the world, and if you tried harder, you would certainly feel elated.

Why does this certification mean so much to you?

If you asked me about “security” two and a half years ago, I would be blank. I transited only to a cybersecurity field somewhere in 2016. Straightaway, I was thrust into blue-team work, and after a while, I was sent to try harder.

Part I described the in-course experience, but there was also friendship to be made outside the labs. For one, there were fellow students who were struggling in the course, just as I did. We would, from time to time, visit the IRC channel for us students (yes, IRC still exists), only to be taunted “try harder” initially.

But the people in IRC were, by and large, security enthusiasts in their own right. They hailed from various backgrounds, from network administrators to CTOs, from pentesters to consultants. All came into the OSCP for their own reasons.

For me, I had my own pride in the game. I hate giving up, especially when I believe something is important. In this case, the proof that I can transition from my previous field (Physics) to cybersecurity and thrive.

The fact that I now have my OSCP means… I tried harder. I managed to do something I never quite planned for. I can show I have learnt something new, from nothing.

There is a second reason, and perhaps it is more philosophical. Trying harder etends beyond the OSCP. In short, as an individual, I like to go beyond what is normally required of me, and challenge myself. When I decided to jump into security, knowing almost nothing at first, I was lost, but I was determined to make a proper living out of this and obtaining proper credentials. The OSCP reminded me, in many ways, about never giving up in life’s dreams, and always trying harder. To me, trying harder is now a core value. Life’s dreams will only turn into reality if we try harder. We must fail, suffer sleepless nights, go through sufferance, be repeatedly humbled and take pain. Through difficulty, learning accelerates, and once we make it, the victory is far sweeter than if we were presented the path on a silver platter. Besides, it is in failure that we learn not to re-commit.

I thank Offsec for reminding me about a life philosophy.

I want to read other reviews… I mean, you’re a masochist to want to try harder, right?


Coming in Part 3: The vulnerable machine, dedicated to trying harder, shall be published just for aspiring pentester’s to have fun with it. Also included are some unconventional ways to prepare for the examination besides the usual “practise in labs”. Some of us may want to do things slightly differently. Stay tuned!

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty + six =