Today I thought I’d put together some words, thoughts, advice and general experience of the PWK/OSCP course journey.
First off, a little bit about my experience.
I’ve worked within IT for over 10 years, most of this within security. After school, I studied a diploma in computer systems engineering. This was a great course and I enjoyed it. It covered all facets of IT including system administration, network admin, programming, scripting and general electronics. The course covered the official Microsoft and Cisco curriculum. I completed all the courseware for the MCSA for Windows 2K3 and Cisco CCNA content.
The diploma gave me a good understanding of IT fundamentals.
After my diploma I started working for a large telco in network administration. About 50% was IP based and the other 50% covered mobile and fixed-line/PSTN networks. Here I gained a solid understanding of networking.
After doing that for 2-3 years, my next 7 years were spent within security. I’ve worked in the financial and government sectors across identity, vulnerability/security assessments, auditing, incident response, compliance and design.
In terms of security qualifications, I’m also a SANS GIAC GSEC and GCIH holder. I’ve gained these certifications over the last few years, as well as my Red Hat RHCSA certification.
My IT experience is vast and I have quite a number of years’ experience.
I’ll try not to go off topic, but if there’s one thing I can say to aspiring OSCP/security beginners, get the fundamentals first before moving into this field.
Of course, this is only my opinion and there are others out there. In my experience, the security field in IT requires you to have a strong understanding of all things IT. I’m in no way saying that a system admin or a database admin have ‘limited’ skills. But in my eyes, you need to have some experience in other areas to do well in security. I’m no expert, but I feel the years of experience leading up to now has helped me a lot over the years.
I can’t imagine if after finishing my diploma then going straight into the PWK course and sitting the OSCP exam. Yes I learnt IT basics, but I had no ‘enterprise-level’ grasp or concept.
However, I’ve seen some absolute guns coming out of university that have an amazing level of IT understanding. Kids these days are writing mobile apps in their teenage years, or even performing the basics of enumeration of a network/computer. Meanwhile, I was trying to work out how play Dark Forces in Windows 95 (Or 98?).
Anyway, all I’m trying to say is. For me personally, I think it would be worth a beginner getting at least 2-3 years’ experience in general IT system admin before moving into security. Perhaps 6 months to a year in a help desk role, then the remaining as a system admin. Get some fundamental skills, work experience, and then try to move into security.
Your best bet is getting into a large company with a big security team. Once you’re in, meet up with security managers, show them you’re interested and keen, and you’ll land a spot!
(Again, just my personal advice!)
I just wanted to provide a brief background as I find most people ask these questions to OSCP holders.
Now onto the course…
--> SIGN ME UP!
My interest in the course essentially came from my line of work. Currently I’m responsible for vulnerability assessments and developing mitigation plans. I have a high interest in penetration testing and my work covers a lot of it, up until the point of exploitation!
Prior to the course, I was well versed in the enumeration tools and techniques, but in terms of actual exploitation, I had very little hands-on experience.
My interest in this course really spiked after I completed the SANS SEC504 course, which just touched on the basics of pentesting. More so, the tools used. After I completed the course, I was already planning on booking the PWK course and getting my OSCP.
Just after New Year’s Eve, I made a goal to be OSCP by June 2018. Cutting to the chase, I booked my PWK course on 28th Jan 2018.
If you have a start date in mind, make sure you book well in advance. The earliest I could start was February 11. Ideally I wanted to start a week earlier, but wasn’t an issue.
I signed up for 90 days lab access and planned to sit the exam early May. I heard that most people take about 100 hours (yeah right, lol) to be ready for the exam. In the end, I easily put in 300-400+ hours, but hey, that’s all in the past now!
I work a normal full-time job, so I planned on doing a few hours each night during the week and more on weekends.
For now, the course was booked and I had two weeks to prepare myself.
--> LEAD UP...
My only suggestion here for the time between booking and starting your course. Do not touch a computer. You’re going to go cross-eyed over the next 90 days.
Get yourself a comfy chair if you don’t have one.
Download your Kali VM. My advice, use the recommended PWK one. Do others work? I’m sure they do, but why risk it? Or why make it harder for yourself?!
What else? Ummm… overdose on vitamin D (AKA get some sun), eat well, exercise. Just do whatever you want.
--> LET THE GAMES BEGIN
If there’s one thing that’s certain. You will receive your course content/email right on the minute. Actually I reckon it was right on the second.
So Sunday 11th of Feb arrives and I receive my course content.
My initial plan was… read the email, prep my vm, download my pdf and videos and test/try the VPN connection. Well that didn’t happen… I ended up spending 4-5 hours that day watching the first few videos… I was hooked.
--> PWK PLAN OF ATTACK
This was my plan:
- Watch the videos for the first course topic
- Read the same course topic within the PDF at the same time
- Finish the exercises for said topic
- Rinse and repeat until course content is complete
- Start the labs
--> FRUSTRATION IS THE NORM
Get prepared to have your arse handed to you.
From the beginning, I always planned on doing the lab report including ALL exercises. Yes it’s only worth 5 points and requires A LOT of your time. But, something I always kept reminding myself during this course was… Yes I want the certification, but most importantly, I wanted to get the most out of the course. I thought, doing the lab report and exercises would support this.
While I had to put in a lot more time, in the end, it paid off and I did learn more than if I just went straight into the labs.
So my advice here, do the lab report and exercises. I definitely used techniques from the exercises in the exam. Not exactly the same, but if I didn’t do the exercises, not sure what I would have done in those instances.
There were quite a few exercises that had me thinking and took me over multiple nights to finish. This is where some nights I was saying “why am I bothering?!”, but persistence is key and it paid off. And boy did it feel good once you got through it.
Anyway around the 6th of March I finally finished and completed all of the course content and exercises.
Up until this point, I was using KeepNote for everything. I later realised what an idiot I was. As I had to spend at least another 3-4 nights to get all of my KeepNote content into the required lab and exercise report format. My tip here is, yes use something like KeepNote, but also put your screenshots and exercise answers straight into the lab report. You’ll save yourself a ridiculous amount of time duplicating it all again.
Just to reiterate. If you feel like giving up during the course exercises. STOP. Think about why you’re doing the course and what you want to get out of it. Take a break. Get back into it.
If you just want to get the OSCP cert. STOP doing the exercises and probably stop reading this blog haha.
--> TIME TO H4cKs
It’s lab time baby. You’ve learnt so much, you’re ready.
Put on your black hoodie, put on your Guy Fawkes mask, dim the lights, turn on your neons, change your terminal font to green, lean the chair back, start your dubstep playlist and HAX0R!
WRONG! Lol.
I actually felt really lost when I started. I had an IP range, and knew what I needed to do… I just didn’t know how to start.
Again… do what you’ve learnt.
I can’t go into details here, but start with the basics of enumeration you learn. DNS, whois, the ping sweep you created. Use those.
Nmap lab range scan.
Now there is no order to attack, but you should have some plan.
For me, I did a lab wide nmap scans of top 10 ports and an aggressive (-A) scan across the whole public range.
With these results, I first went for XP/2000 machines. Especially those with SMB.
If you’re familiar with MS08-067 or MS17-010, you should be able to pop a box quite quickly. Do this. Get some confidence first.
I rooted my first with MetaSploit, but then attacked it again with a python based script.
After this, I literally started from the lowest IP, and owned box after box and moving onto the next IP.
The first 10 machines were the hardest and absolutely tested my patience and understanding. They all varied, but trying to get into the right mindset took time. I think the first 10 lab machines is what makes or breaks you.
Rabbit hole Google searchers, learning that firing off random exploits is dumb, knowing when you need a break etc… This is where you learn and develop your enumeration skills.
After my first 10 roots, I felt like I had not mastered, but started to develop an enumeration framework that worked for me.:
- Review NMAP scan
- Target listening services with appropriate tools.
- Review again
- Perform full 65,535 TCP scan
- Target listening services with appropriate tools.
- Review again
- udp-proto-scanner.pl is yo friend!
- Checks services version
- READ exploits. I mean READ and understand them
- Test them. Doesn’t work? READ them again.
- Got a shell? Enumerate again
- Rinse and repeat!
- What’s the vulnerability?
- What’s the exploit trying to do (how is it exploiting it)?
- What is your target systems environment like?
- What’s the difference between the exploit script and your target?
- How can you modify the exploit to match your target?
- Do this until you get a shell or die in your chair. (Lol not really, know when to move on!)
Up until this point I had rooted 39 boxes.
I had owned the majors (pain, sufferance and humble).
When I went to book there was a 1 month wait! But what I noticed was dates were appearing and disappearing. My assumption was people were booking then changing the dates. Luckily I was able to land an exam at 7AM on Monday 30th Of April.
Over the next 10 days, I rooted a few more machines (including gh0st).
In the end, I had a few machines in the DEV network, all public machines rooted and a few in the IT network. I never did get to the admin network.
In total, I roughly spent 52 days within the labs to achieve what I achieved.
--> EXAM PREP
The weekend before my exam, I spent the Saturday just collating all of my tool syntaxes and getting my KeepNote ready for the exam.
At this point, my lab and exercise report was completed and already in PDF format.
I had also drafted the exam report, which was ready for me to insert screenshots and write-ups of each machine.
On Sunday, I had a quiet one at home and just relaxed. I prepped some lunch for tomorrow and ensured I had some snacks to keep me going throughout the exam day. Including these bad boys (best thing to keep you going!)
I got an early night, as I wanted to be up early and ready.
I got an early night, as I wanted to be up early and ready.
--> 0700 - 20180420
Alarm went off a 6am. Got up, had a shower and made substantial bacon and egg breakfast.
I also made a large amount of coffee to get that caffeine running through the veins.
Sure enough, exam email came in at 07:00:00 (Would love to know what elite email system they use here. Shits on time all the time!)
My plan:
- Kick off nmap scans
- Do the BO machine first (25 points)
- Short break
- 10 point machine
- Lunch
- Jump between the remaining machines until I have enough points
- Out for dinner with wife to celebrate the last few months
- Perhaps a movie?
- Bed by 11pm.
- 7:45AM BO machine… got that one done pretty quickly. 45 mins?
- Had a snack
- 9AM Got my 10 point machine in about an hour…
- Confidence boost (expecting to finish just after lunch)
- Started on the other machines…
- …
- 11AM nothing
- Lunch
- 2PM nothing
- 4PM nothing
- ....
- 1 AM nothing
- Crashed on couch for 30 minutes
- 2AM nothing
- 3AM nothing
- 4AM why am I doing this course? I suck! Perhaps I should change my career?
- 5AM BREAK-THOUGH low priv shell
- 6AM Successfully escalated on other 25 point box
- 7AM I just stare at the screen for a while, and I’m wide awake.
Reflecting back on it, for some reason, I got stuck in a loop of trying the same things over and over.
Part of that I think is nerves and fatigue. I was taking notes, but performing the same thing again a few hours later. I got into some sort of rut. Essentially I was chasing rabbit holes that led nowhere.
When I tried to get some sleep around 1AM, I was so wired. I don’t think I actually slept, I just closed my eyes. But my brain was running at a thousand kilometres.
At the end of the exam, I worked out I had somewhere between 65-75 points.
After finishing the first 24 hours, I was wide awake and exhausted at the same time. I needed some sleep. I got a few hours’ sleep and woke up around 10AM/11AM. I spent the next 5 hours putting together my exam report.
I had a few issues uploading my two reports, but after speaking with support I got that sorted.
At around 6PM on Tuesday 1st May, I was done and dusted.
--> MAY 2nd @ 7:50PM
I was still on edge and constantly thinking. Did I pass? Did I do enough? Why did I do that etc…
I’m surprised the F5 key on my keyboard still works, as I was bashing that thing constantly.
I was out and felt my phone vibrate. I saw a new email with the title:
“Penetration Testing with Kali Linux - OSCP Certifica……”
The subject was cut off and my heart dropped. Oh shit… here we go:
Dear n33dle,
We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.
I passed!!!!! I was so excited, had a smile ear to ear and was so relieved. All that hard work had led to this and paid off.
I still had a few days left of lab access, but by this time… I had a bit of OSCP fatigue and was done. I let it lapse but never go back into it…
--> SUMMARY
When I look back from when I started to after the exam, the amount I’ve learnt and the skills I’ve gained has been amazing. I’ve attended and sat courses almost 10x times the cost of the OSCP, and they haven’t given me back the same level of satisfaction.
This course really does test your patience and really gets you thinking. You need to have the will and determination to learn and pass this exam and course. If you’re doing it to just get the OSCP certification, you’ll probably quit and give up.
If you want this and ready to not give up, it’s absolutely possible and you can do it.
I had to make some sacrifices during this time to really focus and give it my 110%. Everyone is different, but for me I had to do this.
For anyone about to start the PWK course, the exam or in the middle of it. Don’t give up and when it gets tough. Sit back, reassess, and try harder. You’ll get there. It’s not impossible and sometimes you have to think like an admin, or think literal. Don’t overthink things, try basics. If you find yourself going in circles, move on to the next box, or try the next service. There’s always a way in.
Feel free to reach out if you have any more questions, happy to answer.
--> n33dle
No comments:
Post a Comment