Over the Christmas break from university, I decided that I’d take the PWK (OSCP) course which gave me something to do over the Christmas break and ensured I had plenty of time to complete the course. Having previously done other cyber security courses such as Comp Tia Security+ and eLearnSecurity’s PTPV4 course, I liked the fact that the PWK course was heavily practical in nature and had an extensive virtual lab to test penetration testing techniques on a variety of systems.

In my opinion the OSCP certification is worth the initial cost and has a high return of investment, compared to other certifications due to the fact the course is practical and proves to employers the candidate is competent in penetration testing concepts and can apply them to a multitude of environments. Having spoken to hiring managers, the OSCP qualification is highly desirable and is vastly gaining recognition around the world, which makes this certification an excellent way to get into the information security field.

Background

I’m currently a third year BSc(Hons) Ethical Hacking Student at the University of Abertay and have three years of experience within the IT sector in various environments such as HelpDesk & System Administration (Linux/Windows). I’ve also taken eCPPT before and hold CompTia A+, Sec+, Net+ and MCITP: Enterprise Desktop Support Technician. I would say my previous experience with Windows/Linux did help, although my programming/scripting skills where pretty basic before I took OSCP and managed to improve them during the course.

Who should take the course?

In my opinion anyone can take this course, however you must have a general understanding of TCP/IP Networking, Linux/Windows command line syntax, basic security concepts, Google Kung Fu and Bash/Python/Perl scripting knowledge will come in useful too. You must also have a passion and dedication to keep going and try harder, if you are the sort of person who needs to be hand held then this course may not be for you.

Although, if you are used to being guided then changing that strategy to self-learning will ensure you succeed in the lab. In essence, you must be willing to research areas you are struggling with and dive deeper into concepts/tools/exploits and vulnerabilities that OffSec does not provide information on. Resources such as Exploit-DB, Stack Overflow and Google have helped me tremendously. If you get stuck on something, keep googling and try to locate the relevant knowledge to understand further what you need to do as OffSec admins will not give you answers.

PWK Labs

The bread and butter of the PWK course is the labs and not the actual training material, upon receiving the PWK course material you will get access to the labs by connecting to the VPN server with the provided credentials. I will not reveal the total amount of systems, however there is a huge number of systems with a extensive variety of both Windows & Linux operating systems and numerous vulnerabilities from web applications, vulnerable services and misconfiguration issues/unpatched systems which allows you to practice your skills in numerous areas in a safe environment.

Another point to note, is that the labs are a shared environment and other students may be on the same systems, so you should check the revert time of a machine was not too recently before working on it and revert the machine before you start enumeration attempts. There has been a few times where a student has modified the system in a way that was not intended or left privilege escalation information/exploits which spoiled the process for me. Always revert!!

On the topic of Metasploit usage within the labs, you may use whatever tools/exploits you wish from it. However, in my opinion you should be careful to not limit yourself to being a tool monkey using only Metasploit and remember you can only use it once during the exam. There are plenty of manual exploits available which may need to be modified but this will enhance your understanding of working with exploits, shellcode and getting to know how they work. I already knew the basics of Metasploit so did not need to learn much of the tool, however if you do not have much experience with it by all means use it to learn and test out various techniques but also attempt with manual exploits.

Finally, you will be expected to break into systems on four networks (Public/IT/Dev & Admin). which may require the use of tunnelling/pivoting techniques. I’d advise you fully read and understand that section within the PDF as it will help tremendously. I’d also recommend treating this like a real penetration test, you will need to start enumeration from the basics to find hosts to target first which can be done using various ping sweep techniques, nmap scans and other methods. So remember your training and TRY HARDER!

Having finished the labs and exam, I very much miss the labs and wish I could go back and keep going breaking into more systems. The labs are VERY addictive and I did not find this to be a typical course/exam because of that very reason and practical courses are more of my style.

OSCP Exam

During the OSCP exam you will be provided with a VPN connection to a lab environment and will have 23 hours and 45 minutes to achieve the required number of points on the exam (70 points) and points may be awarded for partial compromise (low privilege access). Each exam machine is worth a different number of points and after completing the first part of the exam, you will then have 24 hours to complete an exam report on your progress and may also send in with that the course exercise/lab report. I would highly recommend completing the lab report and the exercises as this may give you +10 points on the exam, as long as you follow the requirements and complete the documentation thoroughly.

I myself did complete both lab/exercise report and submitted this with the exam report, and would highly recommend you do this along with using the recommended report template from PWK. Both resources can be found below to get further information on the exam.

https://support.offensive-security.com/#!oscp-exam-guide.md https://www.offensive-security.com/pwk-online/PWKv1-REPORT.doc

I started my exam at 12:00 and immediately started to run enumeration scripts, and identify potential vulnerabilities which took me around two hours to do. After this I got my first full compromise which gave me some points. Around three and a half hours into my exam I managed to exploit another system and worked on privilege escalation. I then took a break and went and had something to eat.

After this, I then spent another two hours trying to get one of the low point machines, however I kept banging my head against the wall as I was obviously missing something simple despite enumerating the hell out of the machine. As I was making very little progress, I moved on to one of the higher point machines and further enumerated this which took up the majority of my time until I realised what I was missing. After gaining access to the machine, I spent the next few hours after this attempting privilege escalation which was successful. At this point it was around 2am. After another break, I got back to exploiting the low point machine with very little success again. I knew with the current hosts I had, and with my points from the lab report I would pass most likely.

However I kept trying harder, and moved onto another high point machine and did not manage to gain access to the machine. At this point it was around 5am and my brain was fried, I set an alarm for 3 hours and went to sleep.

After waking up and grabbing a coffee and 30 minutes of reviewing the host enumeration data I gained access to the machine and got my fourth machine. At this point I knew I’d passed and was very happy indeed! I kept on going to exploit the last host, however could not find a way in. I stopped at around 10:50am and ensured I had all screenshots and then started to work on the report which took me a number of hours as I wanted to ensure it was perfect. I then submitted my 26 page exam report along with lab/exercise report. And patiently awaited the results, which came back around two days later with a pass!

Embedded

Conclusion

The OSCP course is absolutely fantastic and did not feel like a course at all, I’m sure they should add a warning to the course to say it’s extremely addicting!! Having withdrawal symptoms already!. In all seriousness, I would highly recommend this course to anyone with a passion and dedication to wanting to enter the information security field as long as you have the pre-requisite knowledge. Despite some reviews that mentioned scripting/programming experience is a must, I would disagree with this as my prior programming experience was not too great and with further research using online resources and exploit development tutorials I was able to make things work without issue.

The most important aspect of this course is the drive to succeed and you must push yourself to Try Harder! I’m very proud of achieving this qualification and it’s something I can say I dedicated time to and worked for, unlike other qualifications that are just memorization tests.

I would also recommend you purchase enough lab time, depending on your time commitments and skill level and if you do not have the pre-requisite knowledge then I would recommend further learning before taking OSCP with courses such as PTS and/or PTP from eLearnSecurity. Another thing to note is, people taking this course may exploit machines at a different rate than you and/or even pass first time. Not everyone may pass first time, as everyone has different knowledge and ways of doing things. So keep going, and do not stop till you pass! I was surprised that I passed first time, however I did put a lot of effort into the course which paid off in the end.

Enumeration Scripts

During the course of the PWK labs, I created two bash scripts which I used in combination with other tools for all enumeration attempts which was very successful. I’m hoping to further develop my basic bash scripts into a more suitable Python script with multi-threading to save time in the future. You may download them below, however I would recommend developing something on your own.

NMAPv2.sh http://pastebin.com/e4zRNywc

HTTPEnum.sh http://pastebin.com/kv6qcUHh

Useful Resources

http://www.fuzzysecurity.com/tutorials/16.html https://it-ovid.blogspot.co.uk/2012/02/windows-privilege-escalation.html https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet https://pentest.blog/explore-hidden-networks-with-double-pivoting/ https://github.com/maurosoria/dirsearch http://www.fuzzysecurity.com/tutorials/expDev/1.html