OSCP: The myth and the reality

OSCP: The myth and the reality

I've read a lot about OSCP (Offensive Security Certified Professional) certification and I wanted to explain my own experience to put in perspective other things you might see on the Internet.

What is OSCP ?

OSCP logo

This is an information security certification managed by Offensive Security. It comes with the course named Penetration Testing with Kali Linux and is done remotely with access to a dedicated environment where you can practice your skills.

The main difference with other certification in the infosec world is the practical nature of this one. Indeed, the exam does not consist in a long list of multi choices questions as it is often the case with other certifications. Instead, you are granted access to the exam environment during 24 hours and you need to compromise a few systems exploiting vulnerabilities and escalate your privileges. In addition you also need to provide a complete report of your activities as you would do if you were hired by a company to perform a real penetration test on their environment.

You can choose between 30, 60 or 90 days access to their lab environment. Independently of the option you select, you will also receive the course content which is a big PDF document and videos explaining the different chapters.

My experience and advice

It is a much harder challenge to take this certification if you have never been exposed to pentesting or vulnerability assessments within your job/life. Although I think it is still possible, you'll need to work significantly more and spend some time gathering information from alternate sources.

In my case, I have been working for 2 years in a team responsible to perform penetration testing internally within the company and I could definitely leverage my experience for some aspects. I also have a development background which made it easier for the exploits development part but it is not mandatory to have programming skills.

Time management

Comics time management

You can easily spend between 100 and 600 hours on this course. Therefore, you will need to plan your time accordingly even before starting the course to make sure that you can allocate at least 5,6 hours per week. This is sometimes a challenge if you are working full time and want to keep some kind of social life as well. In my case, I was working full time (40 hours / week) and worked mainly during the week-end. I completed the PDF and the videos together with all the exercises during the first month. The exercises are not mandatory to get the cert but they can grant you a few bonus points that might allow you to pass. It is a good preparation in general so I strongly encourage people to take the time to do those seriously.

During the two remaining months, I spent my time on the lab to try to root as many boxes as possible. There are about 50 of them and are split in different network segments so you sometimes need to find a jumphost to hack the hosts behind the firewall. At the end I managed to root 17 of them and some more with low privileges shell. Due to additional workload from my job, I was sometimes spending weeks without connecting to the lab. I didn't manage to spend much time on the hard ones (Pain, sufferance, gh0st...) and could go to the IT network but not further. Overall I have not spent more than 100 hours working on the lab.

Preparation before the exam

I scheduled my exam just 2 days after my access to the lab expired. During the 2 weeks before the exam date, I worked on the lab every day after work, I also polished the lab report with the exercises. Finally, I really practiced some of the exercises again and again, mainly the exploit development ones.

I was really stressed as I was reading multiple testimony on the Internet from people saying that they rooted all the hosts in the lab and failed 2 times the exam before passing it. I only rooted 17 of them and not the really hard ones. Nevertheless I didn't want to extend my lab time and wanted to see what the exam looked like even if I had to retake it afterwards...

Stress comics

The exam

It was a Monday morning, I scheduled it at 10 am thinking that if I can get the minimal score to pass (70 / 100) before the night, I would spend a much better night and would actually be able to sleep. I woke up at 8 am and after breakfast, I started preparing my environment, booting up the Kali VM and preparing all my internet tabs with privilege escalation techniques.

I received the email with the connection instructions to reach the exam environment. I read the instructions and connect to the control panel where you can actually see the number of points you will get for a successful compromise of each host. Before starting with the first VM, I launched a full Nmap scan of all of them so that I don't waste any time later on. I started with the first one for which you need to develop something yourself, in 90 minutes I got it fully rooted; 25 points in the pocket.

In the meantime, my nmap scans completed so I could look the results and started attacking the second host with the highest number of points (25). After 30 minutes I got a shell as a limited user, I spent some time looking for potential escalation vector. It was around 1pm when I got the root shell. Nice, 50 points before lunch :)

I gave myself 30 minutes of break for lunch, then I started looking at the other machines. I got a low privilege on one of them but didn't find any escalation path. Then I moved along and attacked one that granted me directly with admin access. Unfortunately, that one was only worth 10 points. So I was close to the 70 but not yet there. I looked at the last one and manage to get a low priv shell, then I spent probably 3 hours before being able to escalate.

It was time for dinner already 8pm and I got 80 points + the low priv shell (probably around 10 points) so 90/100, I was in a good shape. Although I was already almost sure to pass it, I kept working after dinner on the only one that was not rooted but couldn't find anything. Probably I was too tired at this time. I gave up around midnight and went to sleep.

When I woke up around 8am, I still had some time but I used it to make sure I had all the evidence needed for the report and that the flag were entered correctly within the control panel. I took a break and started writing the report. Everything was in "keepNote" that I used to document everything during the exam. So it was mainly copy paste and formatting. I sent the report around noon and went to sleep now that the stress had vanished.

The next day I went to work and received an email that I succeeded in the afternoon, Nice :)

Conclusion

I mainly decided to write this article to nuance what you can read out there. You don't need to spend 500 hours in the lab unless you really have the time to do it. If you have some background in security already and you understood and are able to reproduce the attacks explained in the course guide, then you have a good chance to succeed at the certification. Make sure to have enough sleep and are fed properly because your brain will need to work at 200% during at least 10 hours. I also think it's better to start your exam in the morning so that you give yourself a chance to sleep.