Tuesday, 14 July 2015

My OSCP Review

What is OSCP?
Offensive Security Certified Professional (OSCP) is a certification you gain after having passed the exam of the Penetration Testing With Kali (PWK) course. As you may have noticed, I was rather silent lately on my blog, because I was in fact working full time the PWK course to get my OSCP, that I just managed to get this week.

Offensive Security provides 3 online courses, enabling you to have 3 certifications:
- Penetration Testing with Kali Linux (PWK)-> OSCP
- Cracking The Perimeter (CTP) -> OSCE
- Offensive Security Wireless Attacks (WiFu) -> OSWP

There is two other advanced courses only available on site live at Black Hat USA in Las Vegas:
- Advanced Windows Exploitation (AWE) -> OSEE
- Advanced Web Attacks and Exploitations (AWAE) -> OSWE

The course material is made of a PDF document and many videos, and contains besides the course, some exercises to do. To work on them, you have a Kali Virtual Machine given by Offensive Security, which is connected to a VPN to allow you to access the online Lab. The course is very well explained, and the PDF and videos complete each other nicely. The entire course topics are publicly available in the PWK Syllabus PDF. The course covers a wide range of topics such as Web attacks (XSS, SQL injection, LFI/RFI), basic stack-based overflow on Windows and Linux, enumeration using various tools and protocols, privilege escalation, password cracking, Metasploit usage, etc... One important thing to note about the course, is that it does not explain or teach you everything you'll need, you must dig deeper on your side to acquire more knowledge.

The course, although teaching you some tools and methods, obviously, is above all about teaching you how to think in front of an unknown problem. It can happen in the lab network, I'll talk in a moment, to need tools not covered in the course (they are included in Kali, you must be curious and check them). The course cannot cover the thousands of tools available. For instance if medusa and hydra are covered, nothing stops you to use patator instead. The bottom line is that after having taken the course, and practised, you should be able to overcome an unusual situation requiring a creative solution, using tools or exploits you never used. The hacker mindset!

The lab network is made of many vulnerable hosts and servers (I won't spoil the exact number!), divided in separate networks: public, developers, IT, etc... This means it is not a flat network, and to get beyond the public network which is available from the start, you will need to pivot trough compromised hosts to reach other networks. This leads to a very real-life training simulation, requiring all skills to be used, not just direct attacks on directly available servers. There is a variety of Operating Systems, not just Windows and Linux, which makes the lab really fun to practice. The difficulty is very different from server to server, there is no linearity or difficulty order, and some server are notoriously difficult. Three servers are apart from the others, difficulty speaking, and they are rightfully named Pain, Sufferance, and Humble. I got all servers from the lab, except Sufferance. Not bad, even though I would have liked to get this last one :-)

The hardest part for me was after finishing the course, and starting the lab network. Being left free, unguided, in this unknown network, was intimidating. The first servers were very painful, as I attacked some of the hardest of the public network without knowing it (I learned later they were known to be difficult). Also, at first my toolset was small, it only grown as I got more servers. You can connect on the Offsec IRC channel to chat with other students, and if you get stuck on a server for many days, you can talk to an admin to request an hint. Admins obviously do not give any solution, but are rather giving a nudge in the right direction, that sometimes also needs to be deciphered :-) When I reached 30 servers owned, I did not feel ready at all for the exam. That number cannot be relied on for anyone else, as it totally depends on one's experience. If someone is already a pentester, and is trying to get OSCP to have a good certification, then he could probably get 10-15 servers and try the exam. Some hacks few servers and have their exam first try, others have all servers and yet still fail their first exam try. Anyway, I extended my 3 months lab time for another 2 months, and by the 45th server, I felt more confident. I continued until I get them all, except one. This is not required to have all servers to pass the exam, but it was my choice to gain as much experience as I could. I don't really know how many hours I worked on it for 5 months, but probably 20 hours per week or more (my spare time was dedicated to it). Once again, depending on your current experience and skills, the time needed to work on it will highly vary. I have read about people who only worked 2 months, while others worked on it 8 months. It also depends on the available time you have per week.

The exam is a 24 hours marathon where you have to hack into a list of given servers, which gives you different points depending on the server difficulty (from 10 to 25 points per server). You need at least 70 points to pass the exam. The usage of Metasploit is highly restricted, you have to know to do it all manually. Each step must be in the Report, where the course exercises and lab servers you got are too. The exam is not easy, and is totally different of other exams where you can learn some courses, and answer memorized pre-formated knowledge. The course only shows you the way, you have to demonstrate your "out of the box" thinking while the exam. I went to my first try pretty confident, given all of the servers I got in the public network. However I failed my first try for many reasons... First, under the stress and time pressure, instead of doing a whole enumeration per server as I used to, I did partial enumeration and rushed as soon as I found a potential vulnerability. How wrong it was, as it made me lost some time and brought me some frustration. Secondly, I totally blocked on my very first server (25 points), and after 7 hours on it I have given up on it. This unfortunate start was very damaging to me: brain fried, lowering of mood, and 0 points. It took me some time to regain a fresh mind after a good break. I decided to work on other servers, and I had to use everything I knew to get with great difficulty 3 servers. At that time I had 50 points. Then I tried to continue my first server, and I used my 3 remaining hours on it without progressing. That was a full 24 hours exam without sleeping. The next 24h I sent my report to Offensive Security, knowing I had failed. That was a very hard experience, as I did not expected to fail the exam. I decided at that point to extend my lab for 2 weeks, and keep practising, and analysing the mistakes I did. I practised what I found to be my weak spots, and tried a second time, with success :-)

In my second try, I was like on steroids (I did not take any substance besides coffee!), I knew what was coming to me, I knew my previous mistakes, and I was ready to fight, while at the same time being afraid by my previous failure. This time I started the special challenge and got 25 points in less than 2 hours, it was a strong mood reliever! I took no break and got another easy server which brought me to a total of 35 points. I did not repeat my previous mistake of rushed enumeration... After this good start, I took a little break, allowing my brain to cool off (another thing I got wrong in my first attempt). I then attacked two other servers, with one requiring 4 hours of my time, as I had a very difficult time to escalate my privileges. 9 hours after I started, I already had a user shell on the last difficult server, for a total of more than 85 points so I knew it was won. I was very confident I could escalate my privileges on it and reach a full score of 100 points. I allowed myself a one hour break at that time to eat and watch some TV :-) I expected to get root on the server quite quickly, but I was wrong. It took me another 8 hours to find the solution! When at 5am, you get your root shell on the last server, you discover dance skills you never knew you had ;-) This time I allowed myself 3-4 hours of sleep, before waking up and writing my report. I did my exam on Thursday and Friday, finished my report Friday, and got my confirmation email from Offensive Security the next Monday. Offensive Security does not tell you what is your score, only if you failed or passed. It is possible to loose some points if not all steps are provided in the report, or if Metasploit was used on a restricted target.

The PWK course and OSCP exam were a wonderful experience, even if it was with tears and blood. That is the kind of experience, not just an academic course, where you hit many learning plateau, and where to break them and keep progressing you need to apply the Offsec moto: "Try Harder". It really works, many times I felt stuck, and not giving up and keeps trying was very rewarding. The course is for people who knows to learn by themselves, and are very motivated to obtain the OSCP certification. I can only highly recommend this course, as it was a real life changing experience to me. I would like to take the occasion to thanks all of the Offensive Security staff for bringing us such a high quality practical course!

Now I'm interested by the OSCE (Expert) certification, but I need to work some skills before attempting it. I'm now working full time on that goal.