It’s been about two and a half weeks since starting the OSCP, and I can already say that it has been one of the most enjoyable experiences I’ve had in my life. When I started the OSCP, I had planned to write well-structured blog posts discussing my progress, how I’m feeling and so on, but I quickly realized that I suck at writing, and articulating semi-cognitive thoughts is just not in my wheelhouse. So, instead, I’m just going to throw together some random bullet points I’ve mentally noted since starting, and answer some of the questions that I’m sure some people may have about the course.
Who are you and what prior experience do you have?
My name is Derek and I’m a random college kid studying Computer Science. In terms of prior experience, I hold some of the “HR-friendly” certifications: Security+, SSCP, GSEC and CCENT. I have also taken the eCPPT certification, which I would HIGHLY recommend if you can afford it. Additionally, I am semi-active on HackTheBox (not so much the last few months due to school), with around 40 boxes owned. I also post video walkthroughs of HackTheBox and Vulnhub boxes here, more for my own retention than anything else. Overall, I’d say I have relatively solid background experience for the OSCP, but not nearly enough to confidently jump right into the exam or anything; not even close.
How much progress have you made?
My progress so far has been, in the greatest sense of the word, mediocre. Of course, I do have some excuses: other responsibilities, family vacation, and so on. All in all, I’ve probably had six or seven days of fully dedicated time to the OSCP. For the first few days I just worked through the PDF exercises, documenting everything as I went to get those 5 extra points. After about two days though, I somewhat moved away from that. The exercises themselves, especially the buffer overflow stuff, are quite good, but I can only do confined, school-esque work for so long. Additionally, the first half of the course work is a lot of the fundamental stuff that I feel I already have a semi-decent handle on, which adds to the tediousness of it. I’m sure I will enjoy the exercises much more as the course progresses and I start dealing with things I’m not familiar with.
As of now, and for the last three or four days, I have been dedicating ~6 hours a day to exclusively working in the lab environment. Of the 46 public systems, I have owned 13 of them, each of which I have written an individual report for. Writing these reports is good for two reasons: the points and the retention. I find myself remembering and understanding things at a much more granular level when I’m forced to walkthrough and explain what I did, similar to my HackTheBox videos. Owning ~28% of the public network in my first 3-4 lab days is pretty good progress, however my speed of compromise will exponentially decay as I’m forced to tackle the hard boxes; these first few days are largely just plucking off the low hanging fruit.
What’s the lab environment Like?
It’s pretty sweet. What makes the OSCP lab so much better than things like HackTheBox or Vulnhub is that you aren’t just dealing with an isolated, CTF-like host; you’re working in a living, breathing network. The boxes you own may translate to success on other boxes as well (I’ll touch on this later). There is a healthy diversity of operating systems and services to deal with as well, which is also a common problem in the CTF world: the vast majority of CTFs you deal with will be Linux-based. This is a problem I ran into when I first started HackTheBox, which does consist of some Windows boxes; I am pretty proficient in a Linux environment, but putting me in a Windows environment was (and still is) a trainwreck. This is obviously an issue not just for the OSCP, but for the real world as well where Windows has a solid 70-80% market share. Windows experience is one of the most important things I want to pull out of the OSCP, and so far its done a pretty good job.
Any regrets so far?
Yes, I really should have gone to my High School Prom.
In all seriousness, I do feel that I care too much about “compromising all the things” instead of really digging in and looting the boxes I compromise. As I said earlier, the lab is a live network, and some boxes are only exploitable by utilizing information found on other boxes. When I first jumped into the lab, I kind of disregarded this fact, and upon rooting a box, just grabbed a screenshot of proof.txt and peaced out. There’s probably been SSH keys, hashes, config files, pcaps, and all sorts of other things that I’ve neglected to look for that may come in crucial for other boxes. Because of this, I’m probably going to have to spend half a day just getting back onto the boxes I’ve already done and properly enumerating everything, which sucks.
Additionally, when I first started, I told myself I would maintain extremely precise, well-organized, and well-documented notes of my lab progress. I’m now a measly two weeks into the course, and my notes already look like a children’s coloring book. Here’s an excerpt from a part of my cherry tree doc:
(This was literally on its entirely own branch.)
I definitely regret not building a general note taking framework beforehand and sticking to that framework for every box. Luckily I’m only 13 boxes in, so I can right the ship and start being more disciplined.
Any complaints so far?
The one thing I’d say in terms of complaints is that, of the 13 lab boxes done so far, only ~5 required any sort of privilege escalation; For most of them, once you get RCE, you’re immediately system/root. This of course happens in the real world, and doesn’t inherently make it “unrealistic,” but I would like some more practice in the priv esc arena. Additionally, of the 5 or so boxes that require some sort of escalation, nearly all of them have been “run to root” kernel exploits, which follows the same predictable path: run uname -a, get the kernel version, searchsploit the kernel version, grab some C code, compile, transfer, run, root. Again, this is obviously a fundamental aspect of security that needs to be understood, but it definitely feels overdone so far. Though, as I said, I’ve mostly done the easier boxes so far and I’m sure I’ll regret harping on the ease of privilege escalation in a few weeks when I’m tearing my hair out trying to priv esc on the harder boxes.
As of now, are you confident for the exam?
Meh. If I were to take the exam tomorrow, I’m pretty sure I would fail. However, I’m fairly confident that by the time I take my exam in August I’ll be capable of passing. I think I have enough “technical proficiency” to handle the exam; my shortcomings will mostly be due to time-management issues, bad methodology, or rabbit holes. In other words, if I had five days instead of one day to pass the exam, I’d be pretty confident of passing even now; however, I’d wager that most people feel the same way. The small time frame is what makes the OSCP so challenging. It took me around 6 days to fully complete the eCPPT exam, and the boxes in the eCPPT were significantly easier than what will be on the OSCP. Based on the limited knowledge I have of the OSCP exam, I’d say that someone with 5/10 technical knowledge and a 9/10 methodology has a better chance of passing than the other way around. The technical skills will come naturally; building strong methodology and time management skills will only come from a sheer force of will.
That’s all I really have to say for now. Future posts will likely be much more constructive since I’ll have more time dug into the lab; as of now I don’t have much “source material.” Thanks for reading, and good luck to the other fellow masochists taking this exam. I’ll probably publish another post in a week or two updating on my progress.
Discord Channel: https://discord.gg/CCZCJCu