It’s done! I may now officially call myself “Offensive Security Certified Professional“, short OSCP.

This certification has given me sleepless nights and painful failure. But the feeling of finally finishing the exam was even sweeter.
In contrast to other “classic” certifications, which convey a lot of theories and end with multiple choice tests, the emphasis here is clearly on the experience of practice. This is exactly what I wanted: a course that hurts, so let’s dive into the abysses of the command line.

After the registration you get the following:

  • An ebook with the course material and exercises (very good quality, free of inconsistencies)
  • Video material with commented screencasts (also of high quality, in calm and clear English)
  • A laboratory access to the “Lab” of Offensive Security via VPN

I first devoted myself to the ebook and the video material and did not hack the lab until finishing the exercises. Error!
My advice: dive as soon as possible into the lab and try to hack machines. This is the only way to get addicted and leran effectively. But don’t skip the course material. Unfortunately, as my job and family left barely spare time for the OSCP, this took a few weeks.

I had to expand lab time several times. I found out that with each lab extension you optain a free exam attempt. If, however, you extend without trying the exam, the “old” test attempt expires. After buying the second extension I thought I should give it a try. At that time I had rooted 18 of over 50 machines.

Exam 1 (Die another day)

With a lot of respect, I began the exam on a Monday at 11 am (the earliest start time at CET). The family was on vacation, my cellar was going to be my home for the next 24 hours.
What followed was a trip straight to hell!

Task: gain (root) shells on 5 computers (weighted with different points)
Goal: reach 70 out of 100 points

I started with a modestly easy but highly-weighted machine and followed the usual scheme for developing a BufferOverflow exploit. Nope!
Although I seemed to make everything correct as in the exercises and my own preparation, the exploit did not work. I knew this was a must have and did not let go. Double-, trible-checked all steps, no success.
2 o’clock at night: my computer crashes. Time to take out the hammer!

I decide to go to sleep and get up again with new fresh ideas. Without really sleeping, finally around 7 in the morning it makes click! My suspicions had been confirmed and the machine was finally cracked. Only now did I understand a cryptic advice, which I had previously read in a blog about the exam: “never make assumptions!”
Too late, but thank you!

In the rest of the time, I felt like an underdog, leading behind 0-3 in the extra time, but still trying everything. I rooted one other machine and got a low privileged shell on antoher one. Now only one privilege escalation and I could manage to get to 60 points. With the 10-point bonus, which can be obtained for the submission of the solved exercises and a lab report, I would have reached the required 70 points!

A little later: Over and Out, at 10:45 the examination time ends as announced.
Only half disappointed, I still wrote the report and submitted it. So close, next time it should be easier.

Get over it

Failing a test has happened to me quite rare, but giving up is out of the question. What led to failure?

  • I wasn’t prepared well enough! What helps with pentesting is experience. There are no shortcuts! With just 18 hacked machines, I did not even shed the horns. it may not be valid for everyone, but the number of machines rooted in the lab is a good indicator of whether you are ready for the test. Offensive Security states about 30 machines from the Student Lab except the big three (the particularly hard machines Pain, Sufferance and Humble) as approximate number.
  • Bad strategy. The trick with the OSCP is to avoid so-called rabbit-holes, so don’t concentrate one the first finding and never let got. This costs time and the experience shows that Offensive Security does not want you to go in depth, but in the breadth. So the golden rule applies: “Enumerate, enumerate, enumerate!” indeed.
  • Too little sleep before and during the test. My tip: 24 hours before the test stop with practicing and concentrate only on your own health.

After a break of few weeks I bought again a lab time extension of 30 days and my goal was to collect as much experience as possible. I also scheduled an exam in the middle of the lab time as another exercise. If it works out, great. If not, it’s a good practice.

Exam 2 (Tomorrow never dies)

Surprise! New Exam Rules! Offensive Security has changed their rules since my first attempt:

  • The bonus points for the Labreport melt from 10 to 5 points

Good to know. If I consider how close I had failed in the first attempt, despite my obvious deficits, a comprehensible step of offensive security. So I needed a successful (partial) hack on 4 out of 5 machines.

Even if I took this as a failure, I took it seriously. Within 6 hours I was about the same as the first time and still had plenty of time for the rest of the machines. From now it was again hakelig and I had it with machines with a lot of open ports to do, obviously a wanted distraction. For the first time, however, I began to recognize a big picture of the lab and discovered a potential gap on a machine. In the end, it failed to implement the exploit and the time. Sleep did not occur again. This feeling, when your brain feels at night around 3 like pudding, was new to me. It actually went to the stress limit.
This time I waived a report because the feedback from Offensive Security failed on the first attempt.

Buckle Up

Now practicing began to make fun. The machines fell. Some hurt for days, others only a few hours (very few even minutes). In the end, I hacked into 2 more networks, apply pivot techniques, and even successfully rooted one of the Big-Three: Pain. After hacking over 40 machines I felt ready for the exam.

Exam 3 (Goldeneye)

2 weeks of intense lab time later, I was finally ready.
The evening before, I watched some videos of Jan Wikholms Path to OSCP. This one has motivated me much:

https://localhost.exposed/2016/08/13/path-to-oscp-part-23-hope

When you see his joy at the moment of triumph in his eyes, it reminds me of athletes who win a gold medal and enjoy the reward after months (years) of hard work. A lame comparison, but I still like it.

This time I started the exam at 2 pm because I hoped to be able to get sleep wknwoing there would still enough time left the next day. Which wasn’t necessary …

I really ruled this exam :
At 1 o’clock at night I had earned enough points to pass and was finally able to sleep. After I had collected and checked the necessary documentation the next morning, I wanted to crack the rest of the machines. Much more sovereign and more relaxed, this was now only a matter of form. So I could finish the test with 100 out of 100 points. At about 3 pm I submitted the report and met with friends and family at the local city beach. Yes!

Link holding Triforce

Conclusion

The OSCP is undoubtedly one of the major challenges that IT professionals can face in terms of certification. The CISSP exam and likewise are peanuts compared to the OSCP, as Patrick Sauer already formulated.
If you already have experience as a pentester, it will be much easier for you. My experience as a long-time software developer and architect did not help that much, because the scripting with Python, Bash and Ruby was rarely the problem. It certainly helped most when fixing exploits from the Exploit DB.
I definitely improved my admin skills for Windows and Unix/Linux and I can now perform serious penetration tests.
Next I could tackle the OSCE, which is more aimed at the development of exploits. My focus, however, will probably be on using what I’ve learned so I will exercise on Overthewire and to hunt some bugs onĀ Hackerone. Happy hacking!