A splash of Pain, a dash of Sufference, and bucket load of Humble.

If you recall my article titled “The will, the Wifu, and the paper”, I made the decision that 2014 would be all about creating my own destiny in the security world. Not to simply continue just dipping my toes into the shallow end of the security space, but to fully immerse myself in the discipline. After passing the Offensive Security Wireless Professional (OSWP) certification, I was asking myself where to from here? Well, I ended up answering that question, and the decision was made to target the Offensive Security Certified Professional (OSCP) certification. What follows is my brief review of the course and the associated OSCP challenge.

OSCP

Getting Started

Offensive Security’s Penetration Testing with Kali Linux (PWK) is a self-paced course, with a number options for the amount of lab time you would like to purchase; 30, 60, or 90 days. I chose 90 days for a number of reasons; firstly the cost is comparatively low, and secondly it seemed to be the obvious period of time which would fit in with family and work commitments.

Signing up for the course is as simple as registering at the Offensive Security website. After roughly 24 hours you will be emailed a link with information regarding when you will be starting your course (courses commence every Sunday at 1000hrs GMT +10), as well as information on how to connect to the lab via VPN. You will have 48 hours to test your VPN connectivity to ensure that you will be able to complete the course reliably. The email will also provide a link to a customised version on Kali linux, and a further link to complete your purchase of the course.

Course Material

As with all Offensive Security courses, PWK is completely hands on. The lab guide is roughly 360 pages, and it should only take you a couple of weeks to get through the material if you already have a foundation knowledge in the penetration testing space. Accompanying the lab guide are training videos with step by step instructions of various penetration testing techniques. As with other Offsec courses, the material is well written and the videos are clear and direct. All pages of the guide are watermarked with your student ID and name, and the videos are also watermarked with the same as well as your personal contact details.

Make sure you backup your videos and course material as there is an associated fee should you need to re-obtain the material.

The Lab

Enumerate, document, enumerate, document, enumerate, document! This is the key for getting through the lab.

At the time of me writing this, the lab environment consists of 56 lab machines, separated into a number of different networks. You will be initially immersed into the student or public network, and depending upon your ability and time commitment, you will be able to progress into additional networks after rooting specific boxen. The difficulty of owning the machines varies from simple well-known exploits, to more difficult hosts like the big 3 boxen known as Pain, Sufference, and Humble.

I managed to own all 56 boxen in the lab, including the big 3, and have been asked many times for advice and guidance on how to get through the labs. Here are some dot points which I think may be helpful:

  • Document as you go: This is the most valuable piece of advice I can give and I will dedicate a section just to this due to its importance.
  • Enumerate: If you think you’ve enumerated the host as much as you can, enumerate more. Some boxen have important information you may need as you progress through the lab, and some boxen are impossible to own if you do not enumerate the host enough.
  • Get the low hanging fruit: When you start in the lab, it will feel overwhelming. Where do you start? How do you know if you’re progressing on a host? Set yourself a time frame by which you should have progressed or at least obtained a footprint into a box. I would say 1 hour on a host at the beginning is enough time to work out if you’re getting the low hanging fruit or if you need to move on.
  • Revert the host: You will be provided with a number of revert (reboot) tokens via your student control panel. As the labs are a shared environment with other students, it is possible that the host you are attacking is in an unstable state, or is not in the original state required for you to own the host. Without fail I would revert a host prior to starting the enumeration process. Also, if an exploit I believed should have worked, or if an exploit didn’t do what was expected, revert again to ensure the host is back to it’s original state. Do not worry about reverting the box because ‘someone else may be using it’. You will never get through the course if you play nice.
  • Communicate: An IRC channel (#offsec) is available to all students via freenode. This is a great resource for asking/answering questions with other students, as well as the ability to discuss particular issues or have questions answered in a private message with admin staff. Simply ping admin in the channel and when someone is available they will pong you back. Some admins don’t request that you ask them if you can private message (pm) them, however I always asked first as a matter of courtesy.

Once last note I would like to make about the lab is around the use of Metasploit. No doubt you are aware of how great this tool is for penetration testing (if you don’t have you been living under a rock??), however my advice is to stretch your wings and not rely solely on the tool during the lab. My approach in the lab was to try to use ‘manual’ exploit techniques first, and use Metasploit only when necessary. If I owned a host with an exploit from a source such as exploit-db, I would also then own the host with Metasploit if possible.

Documentation

I cannot stress enough how important documentation is throughout this course. In order to pass the OSCP exam, you will need to demonstrate your solid documentation skills in the form of a penetration test report. If you have not written pentest reports before, you will need to get your skills up to scratch quickly, and the lab is the perfect environment for this.

I documented all enumeration results and any other important information with the use of the KeepNote tool. I utilise this tool on a day-to-day basis at work and personally, so it was only natural for me to use it during the course. I find the tool very easy to use, and yet configurable enough to allow me to document in my own style.

Screenshot from keepnote

For obvious reasons I have blocked out any data that cannot be publicly shared, however this shows the basic structure I used for the course. As I completed a box I moved it into a ‘completed’ folder, and then once the box was reported, I would move it into a ‘reported’ folder. Spend some time getting your note taking process well tuned, and document everything and anything so that should you need to revisit the host you can determine exactly what you have/haven’t done so far.

For my course and exam challenge, I submitted two separate formal reports. One report for the lab machines, and a separate report for the exam machines. My lab report was 369 pages and had a breakdown of how every host in the lab was owned, as well as an appendix section with screenshots from the various reportable exercise activities in the lab guide. In a similar format, my exam report consisted of 56 pages.

The Exam

The most important bit of advice I have for the course, and in particular the exam is have fun! Yes it’s going to be challenging, yes you’re going to be nervous, but if you don’t have fun you’ll never get the most out of the experience.

In order to achieve the OSCP certification, you will need to sit and pass a 24 hour exam. Oh… sorry… seems you have fallen off your chair? Was it the mention of a 24 hour exam? You heard correctly. The time allocated for you to complete the exam is a single continuous 24 hour period. Not only will your penetration testing skills be tested, but also your time management ability.

You are required to access/own a number of hosts in an exam network and submit a penetration test report with explanations and screenshots of all steps taken. Each host is allocated a set number of points for ownership, and you must achieve a minimum number of points in order to pass the challenge.

If you are sitting the exam, you will be confident in your skill levels having completed all lab guide material and owning a minimum of all hosts in the student/public network. As mentioned above, the real test is going to be your time management. So how do you get through it? Easy… relax, eat, breath, and rest. Prepare some wholesome meals prior to your exam day, and make sure you have a steady flow of caffeine available. Take your time and ensure you have a break every now and then. I would advise that you work hard for a couple to a few hours, and then take a good break away from your computer. Go for a walk around the block or some other type of activity and give yourself a breather. More often than not this break will freshen your mind and give you clarity just when you need it.

The End

This course is extremely well put together, the information is well taught, and the formula of self-paced learning coupled with real people willing to answer your questions and help is a great combination. Offensive Security have created a very different course to other vendors, and the recipe ‘just works’. I would strongly recommend this course to anyone that wants to get their hands dirty and has an interest in all things security.

A very very big thank you to my wife. You are my rock, and without your support I would have never gotten through this challenge. Thank you for being so patient and understanding. I love you.

Dear Mark,

We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification challenge and have obtained your Offensive Security Certified Professional (OSCP) certification.

20150101_144327

Q&A

Here are some common questions, in no particular order, which I have been asked, and my own answers to the same. Feel free to ask me any other questions you may have and I will happily answer them and respond accordingly.

I am not a programmer. Do I need to know how to write code?

Everyone is different and depending on your ability to learn will determine whether you need to know how to write code. If you can read code, and find your way around the different syntaxes without too much trouble, I would say you’ll be fine. If you have never seen code and it’s all just gobbledygook, then I would argue you are not ready for this course yet and you should spend some time learning a bit of C/C++, Python, and shell scripting. There are plenty of great free resources on the interwebs to help you with this.

How do I know when I’m ready to take the exam?

If you know all the material in the lab guide, and you have owned all the hosts in the student/public network (excluding Pain, Sufference, and Humble), then you should be ready to sit the exam.

Should I just own the student/public network?

Whilst you could complete the certification challenge just owning the student/public network, my advice would be to own as many hosts/networks as you can. There are further techniques you will learn in other networks which you do not get to use in the initial network. The PWK lab is such a great and well planned resource, so spend as much time in it as you can.

How long did it take you to own all of the lab machines?

Four months in total. I signed up for 3 months initially, and then added another 30 days of lab time on top of that. Why? Because I wanted to get Pain, Sufference, and Humble. I came into the course with a goal to own these 3 boxen and I was going to continue extending my lab as long as I needed.

Can you tell me how to own host xyz?

Sure! Chat to the admins on the IRC channel. They will help push you in the right direction in order to own the host.

Can you share your notes or pentest reports?

No.

Should I use the provided Kali VM or use my own distro?

Use the Kali VM provided by Offensive Security. Whilst it is the same Kali that you can download yourself, it does have a few tweaks made specifically for the course. You can do the course with your own distro if you choose, however you MUST use Kali for the exam.

In one word, what was the exam like?

BRUTAL!

What’s next now that you have your OSCP and OSWP?

I think I can handle another round of “Try Harder”, so the OSCE is definitely high on the list. Apart from that, 2015 will be the year I take a look into CTFs. I have also set myself a goal to find an exploit and have my very first CVE assigned.