Table of Contents
As is cliche for all network security students that enroll in PWK/OSCP, I’ve decided to share my experience, in this crazy, long, wild ride.
If you take away nothing else from this post, remember this from the post below: I had written the report from an incorrect point of view. I needed to write the report from the point of view of a help desk intern. Someone that knew how to copy and paste, move files, and change directories. I needed to write it from the point of view of someone that knew nothing more.
Discovering OSCP
When I was earning my degree, there was only one cybersecurity course available in the catalog, and it was always over-enrolled by ~10 students. I signed up on the waitlist, eager to learn more, and crash the class. On the first day, the professor notified the class that he would not be able to take any students from the waitlist, and to please exit the classroom.
As people began to get up and leave, I decided to stick around and ignore the professor’s request. I terribly wanted to enroll in the course. I stuck through the first day, syllabus day, until the end of class. I walked up to the professor, with a line of ~5 other students, presumably with the same “Add Course” form as the one I was holding. I wasn’t feeling too hopeful about my chances to add the class, and when I arrived to the front of the line, he told me the same thing he had been telling the others when he saw what was in my hand – “No.”
I continued to attend the class – this was my only chance of fitting it into my 4-year graduation plan. After the 6th class session, which was during the 3rd and final week to add classes without the Dean of the college’s consent, I walked up to the professor one last time, asking to enroll. This time he agreed.
The course material itself wasn’t as fulfilling as I had hoped. We used Kali Linux (my first experience with Kali), and upon navigating to the Kali Linux download website, I noticed that there was an advertisement for the OSCP certification. Doing some basic information gathering, I saw the price tag, and the requirements for the certification, and was immediately intimidated. However, after doing some additional “research” on Reddit and job postings with OSCP stated, I saw that the certification had some clout.
Starting OSCP
I dove straight in – submitted my course fees, and signed up for 30 days of lab time. I watched all the course videos, taking notes as I went. I spent about 3 straight weeks working on the videos, trying to understand it all as best I could. It was a huge wealth of knowledge for me, as I had absolutely no prior experience.
The videos had been a great place to start and learn from. All the knowledge needed to begin was laid out plain in front of me. But, I was excited to finally be done with the videos. It felt like an accomplishment on its own to be done with them. I then began the labs – I got absolutely destroyed by them. I had no idea where to start. I spent hours google searching with queries similar to “where to start with attacking boxes OSCP”.
I wasn’t able to find any resources quickly, so I just went back to referencing the OSCP coursework. I hobbled together some terrible Nmap queries, and just started looking for any boxes that had port 80. At least I could enumerate the web server easily, looking for anything out of the ordinary.
I had started working on the OSCP between semesters, and the next semester was coming up quickly. I thought that since I had got user on some of the boxes on the OSCP subnet, that I was good enough to take the exam. I felt the pressure from the oncoming semester, and I did not want to set the PWK coursework aside for the semester. I had enrolled in over 18 credit units at school, and I needed to finish this OSCP thing here and now.
1st attempt
I signed up for my first attempt, and I was nervous. I was as nervous as you can probably imagine. It was taking over every single thought in my head, and clearly wasn’t healthy.
Then came the day to take the exam. I started my Kali VM, got my 16 cup pot of coffee going, and had food delivery lined up throughout the day. 15 minutes before my intended start time, I logged in to begin the pre-exam check. I saw that the software was checking if I had a webcam connected, and it returned a big fat red X. Dangit, why wasn’t my webcam showing up? I unplugged it from my USB port, plugged it back in – still nothing. I fired up the default Windows application “camera” to see if it would at least recognize the webcam.
No beans. Well since I was using a laptop that had a built-in webcam, that would work with the monitoring software? Nope. I fired up the “camera” application one more time to see it would work with the built-in webcam. Thankfully it worked, and the proctor said that it was acceptable, since I was sharing my screens. However, that meant I couldn’t minimize, and had to stare at myself for the duration of the exam.
Already being shook up over the webcam, I was given the exam VPN pack. Connecting to it – I gave it everything I had. Nmap, nikto, enum4linux, and my web browser. If a server didn’t have any webservers open, I considered it a lost cause. As you can probably assume, I ended the exam, 18 hours in, with 0 points. I felt extremely defeated, but I had to set it aside. Finishing my degree was the priority.
Improvements
After about a 6 month break, I launched my Kali VM again, rusty as ever. But I was excited about security again. So I just did a deep dive into Google, using queries like “Information Security Practice”, or “OSCP practice”, trying to find the missing pieces to the OSCP puzzle. There had to be communities out there that I could join, where there were like-minded people.
I found disboard.org, where discord servers can promote themselves to be found. It was through this website I finally found the communities of “The Cyber Lounge”, “The Cyber Mentor”, and a bunch of like-minded people. From here, I discovered HackTheBox, signed up for VIP so that I could work on retired machines, and Tj_null’s list of OSCP-like boxes for HTB.
I went down the rabbit hole of infosec and cybersecurity, because I had finally found the resources necessary to learn more, and improve. I spent a solid couple of months talking to people, and trying to sharpen my skills through retired HTB machines. Reading through blog writeups, and watching YouTube walkthroughs, I was finally able to find a process to reliably exploiting machines. I watched all the YouTube videos on HackTheBox machines that I could find. IppSec’s YouTube channel was an absolute gold mine from my perspective, and still is. I also found Typora during this time, and began taking markdown notes. Using markdown keyboard shortcuts and syntax really allowed me to take notes quicker, and as a result, better notes.
After exploiting 15+ retired HTB machines, both Windows and Linux machines, I felt that I was ready to take the OSCP exam one more time. I had learned a lot more about process and port enumeration, and I was comfortable with both flavors of privilege escalation.
2nd Attempt
This attempt, I purchased a new webcam, and it worked flawlessly. Additionally, I performed much better, but my Linux privilege escalation enumeration script didn’t perform as expected. My Windows privilege escalation enumeration tools didn’t work well for me either. The Windows tools at least provided leads, but after spending hours attempting to exploit them, I was sure they led to nowhere. I was able to complete the buffer overflow machine, but only gain user access on the remaining machines. I was crushed, but I knew where I needed to improve.
Further Improvements
To improve my privilege escalation game, I combed the internet for tools. I gathered all the tools into one place, and then tried every single tool against a retired HTB machine (Windows/Linux respectively). This way, I was able to see what each tool brought to the table. Additionally, at around this time, Tib3rius’s Linux Privilege Escalation course came out, and I instantly purchased it. Taking this course definitely gave me the upper hand in the following OSCP exams. To work on Windows privilege escalation, I worked on the lpeworkshop, and attempted to gain root access on more retired Windows HTB machines. After a month or so of practice, I decided to take the OSCP exam the 3rd time. During this time I also finished up my degree, and had finally earned it.
3rd Attempt
This attempt was a nail biter, even for me, while taking it. It didn’t foreshadow very well, that after connecting, I got a BSOD while going through the pre-exam checks, due to a webcam .dll crash. I had no issues with the buffer overflow machine, and had gained user access on 4/5 machines by hour 6. I was able to knock out one of the Linux machines an hour later, and the 10 point machine, so all I needed was one more machine’s root access. Yes, I had 70 points, if you count user access as half of the boxes’ total points, but since Offensive Security have not given an official statement on it, I didn’t want to take a chance on it. One box gave me more issues than I could count on my two hands, so I decided to go after the Windows machine that I had user access on.
At this time, my machine decided that now would be a great time to start choking. I noticed that even dragging windows around in my host operating system felt extremely sluggish, so I opened up task manager. I was at 100% usage for both RAM and CPU. I didn’t notice any unusual programs running, or any unfair utilization of running programs. I had been floating at around 80% usage of both through the entirety of the exam, but right now, it was reaching a new height. I decided to take a break, and cross my fingers that it wouldn’t crash while I left the room.
After about 30 minutes, I came back to an operating computer, with resource utilization floating once again at ~80%. I continued with the Windows machine. After going around in privilege escalation circles for some time, I finally rooted it. I had rooted 4/5 hosts, and achieved 80 points. I jumped out of my chair and shouted even though it was 2 A.M. local time. I told the proctor that I had to take a break, and walked a lap outside.
3rd Attempt – Report
After earning 80 points – only 70 are required – I tried to lie down and sleep. But the thoughts of accidentally oversleeping, webcam dying, and computer crashing kept coming into my thoughts, I wasn’t able to sleep well. Since I kept my VPN connection open, I didn’t want any of those things occur, as then they had the possibility of marking me as “rogue” or whatever term they may use. I got about 2 hours of sleep. I just got up out of bed, took a shower to wake up, made some coffee, and sat back down. I then began my report. I have never seen a completed report before, nor could I look at previous reports from those who had passed. I just surfed google and reddit, looking for any useful information. Near the end of my attention span for searching, I found a comment that stated to create the report, and document all steps as if you were speaking to a penetration tester. One of the requirements per the exam requirements page for OSCP, is to document all steps so that it can be reproduced. So I began to write my report, using the template provided by OffSec, including all steps that would be needed for a penetration tester to reproduce what I had done.
In all, my report was ~60 pages, with a majority of the space being taken up by screenshots, scan output. In between much needed breaks, and trying to stay focused, the report took about 12 hours. I followed all the steps as laid out in the exam requirements in order to submit my report, and sent it in.
3rd Attempt – Result
I still couldn’t sleep, even after submitting my documentation. I woke up nearly every hour, a terrible feeling of anxiety would immediately and almost uncontrollably wash over, and I would immediately look at my phone for email notifications. I got another night of crap sleep, and went to work. Again, nearly every 30 minutes, I would check my phone, looking for anything from Offensive Security. Nothing still. Finished the day, still mentally and physically drained from the previous days of taking the exam.
Still, I would wake up every couple of hours, looking for any emails. I know that they said that it could take up to 10 business days for a result, but I couldn’t help myself. At around 6 A.M. after going in and out of sleep, I looked at my phone yet again. I saw that there was an email from Offensive Security, and quickly unlocked my phone. I read the first line of the email. It began with “We regret to inform you…” and my heart and stomach immediately sank. I ran to the bathroom.
Even Further Improvements
This failure absolutely crushed me. In the email, they stated that I had failed due to exam documentation requirements. I immediately sent an email to Offensive Security asking for clarification, and the response was a canned one: “We will regrade the documentation and let you know within 10 business days of our decision”. I thought that maybe they had pressed the wrong button, or that the person reviewing my documentation had a bad day. I was sure that they were going to reverse their decision. I spoke to others inside the infosec communities that I was a part of. They hit me with questions, trying to figure out where I had misstep. Maybe I had forgot to include screenshots of the proof text files? Maybe I didn’t name an exploit in the report? Did I not copy a proof hash correctly? But at the end of the day, I replied to all of their questions with “Yes, I did that”.
Armed with this new knowledge, I was sure that I should have passed. So I waited. Days passed, with no correspondence. I was becoming too worried that I was losing precious time, as I didn’t want to apply to any jobs without my OSCP certification, and what if they again rejected my documentation? Without knowing more about why I had failed, or any clarification, I signed up again to take my exam for the 4th time.
I got the fateful email 8 days after requesting clarification: they stated that in particular, I needed to document all steps, commands issued, exploit links and console outputs in the report, in such a way that a technically competent reader could reproduce the exploits. It was at this moment that I realized where I had screwed up. When writing my documentation, I had written the report from an incorrect point of view. I needed to write the report from the point of view of a help desk intern. Someone that knew how to copy and paste, move files, and change directories. I needed to write it from the point of view of someone that knew nothing more.
4th Attempt
I took the exam again, a month after beginning my previous attempt. This time around, I had extreme levels of self-doubt. My gut had been wrong for the previous 3 exam attempts, why should I believe that I was going to pass this time around? I just had to go with it. I needed to have that faint glimmer of hope.
I had just built a new computer, and I was sure that my rig wasn’t going to limit me in any way this time around. I set up OBS to record the entire session – at full native resolution. Everything that was needed, was running, and every computer resource was at single digit percentage utilization. I felt good. I started the buffer overflow machine, got that out of the way, and then continued to the other 4 machines that were assigned. After 6 hours, I was able to obtain full access on 4.5/5 boxes. I thought that was good enough, and started writing my report.
4th Attempt – Report
With my somewhat recent switch to Typora (markdown notes) over Cherrytree (no clue), I thought that writing my report using a markdown PDF template would allow me to create the report faster. It most certainly did that, I was able to copy and paste, insert code boxes, add titles to images, etc. within a short amount of time. However, before I got too far, I wanted to go through a dry run of compiling this markdown file into a PDF, using pandoc.
Installing pandoc wasn’t too difficult, and then I moved onto the other dependency, LaTeX (pdflatex to be specific). I had the very wrong assumption that LaTeX wasn’t going to be very large, since it had been around for 20+ years. After starting the download using Live TeX, I saw that the download was 10GB+, and starting stressing. This was going to take a while, especially downloading it from throttled machines. Do I continue working on this markdown report, that I’ve been working on for 4 hours, or do I just make the transition to Word?
After 2 hours, pdflatex finally finished downloading. While attempting to generate the PDF, I ran into error after error. After an additional hour of troubleshooting, I was able to generate a PDF. However, I now needed to highlight text in red. I tried using HTML tags to color text, but every time the PDF was generated, it would strip out the colors. Okay, time to move onto Word. I couldn’t waste any more time.
I downloaded Word, and started getting to work, copy and pasting over text from the markdown report, to the Word document. I didn’t want to miss anything. After copy and pasting everything, I figured that now was a good time to try and get some rest.
Even though I still stressed about my computer crashing in the room next door, or some other catastrophic event, I was able to get some decent rest. I woke up the next morning, did my routine, and sat back down in my seat. I spent the next 10 hours painfully recreating all my steps in the form of screenshots, commands, I even used this website to make my commands look pretty. Thankfully Word accepts HTML and styles appropriately. I included every single step needed to recreate the exploit. You can see my suggestions for general report writing here.
I finally reached the end of my report, and decided to read through it a couple more times, looking for anything out of the ordinary. I had been starting at this report for 14+ hours, and was sure every detail had been filled in appropriately. But, I still looked. I double checked the hashes of the boxes, and I realized that I had flipped two. I started from the top, and went down again. This process repeated for the next 4 hours. I would start from the top, go down slowly, reading, looking for anything out of place. Would discover something, make the change, and then start from the top again.
I finally believed that it was done. Each step painfully documented, in text, so that the reader could copy and paste, with accompanying screenshot for proof. I generated the final PDF one more time, did my black magic to it, as instructed by OffSec, and submitted it. I felt a huge weight off my shoulders.
The next day, I went back to look through my report. I just wanted to know if there was anything that I missed in my delirium. As I scrolled through my report, I found something. I found that I had left my “Vulnerability Explanation” and “Vulnerability Fix” sections empty for one of the machine’s exploits. I felt my stomach hit the floor, I was probably going to fail again.
I went over the the exam documentation requirements for what seemed to be the 87th time, and saw that no requirement stated that those two sections needed to be included. I felt a little bit better, but still unsure.
4th Attempt – Result
The result came within 48 hours of the report submission. I was at work, trying to take my mind off of the likelihood of failing the OSCP exam again. I saw that my phone had said an email was delivered, and had to open it up. I saw my name in big red text in the email, and knew that I had passed.
Conclusion
At the end of the day, I believe that the OSCP gave me a solid foundation of understanding. The PWK course allowed me to gain a rather basic understanding pentesting, while wetting my appetite for more knowledge. The metaphor that other’s use still rings true. The PWK is just the tip of the iceberg of OSCP. There is a lot more that isn’t handed to you, that is just sitting under the water, ready to be discovered.
HR and hiring managers really love this certificate. It is a pretty decent filter, and validates the owner of the certificate, in the areas of pentesting and aptitude to learn. I almost didn’t make it through, and it certainly isn’t required to be a penetration tester. It isn’t the end all be all of certifications. But I promise you that it does help in looking for work.
Offensive Security isn’t the warmest or kindest organization out there, but it is possible to earn OSCP. With the help of HTB, infosec communities, and practice, I was able to pass. And you can too.