Complete OSCP Review
This week, I completed the OSCP as part of my “All the certs!” journey. (You can read about my full offensive security round which includes links to the other offensive certification reviews. You can also my “getting your first cyber job” post here if you’d like).
Overview
As part of the Learn Unlimited plan from Offensive Security (more on the different plans below), I recently completed the OSCP. I plan on doing multiple OffSec certs, so it made sense for me to do the Learn Unlimited plan. I have always been been more of a SANS guy, but figured it was past time to obtain this one. At this point, I was the only tester at Dispareo Security who didn’t have the OSCP, and in order to meet and maintain standards, I needed to knock it out.
Offensive Security Plans
There are several plans for OSCP training. This writing will focus on the OSCP training, and not the many other certs that they have available.
First, is a 90 day lab access for $1,499. This includes 1 exam attempt, and consecutive exam attempts are $249. Lab extensions are $359 for a 30 day period. OffSec no longer offers 30 and 60 day lab times as they have in the past.
The second option is “Learn One.” This allows you to pursue any single course, such as the OSCP, for a year. You have a year for the labs, two exam attempts, and access to the “Proving Grounds.”
The third option (and the one I took) is the Learn Unlimited. This gives you unlimited access to all OffSec courses and unlimited exam attempts. Now that the OSCP is complete after a few months, I still have about 8 months remaining to pursue the OSEP/OSED/OSWE certifications. While I doubt I’ll bag them all in one year (I’m also a student and work full time) it will be nice to have a goal. If I obtain 2, it was still a better deal to me than purchasing 90 day labs separately.
Training
Exercises
The more formal training is broken up into 20 modules (file transfers, password cracking, etc). Each module has a “book” (a pdf), some videos, and exercises. Some of the exercises are meant for you to do on your own, and some of them are recorded with flags. If you are brand new to offensive security, you will likely want to start with the exercises for each section. These are NOT the “labs” — those come after. (You can do the labs first if you are already seasoned, but I strongly recommend doing the exercises either way — both for the points, and for the help).
Note — the exercises were difficult, mostly because the instructions were hard to follow, they didn’t work quite right, or the exercises included things the material had not yet covered. They were quite frustrating at times, but it was worth it to complete them for the bonus points and honestly, there was good material there. I do hate that you can only have one instance of exercises running at once.
OffSec recently changed their policy so that you no longer have to do the lab reports for bonus points on the exam. Instead (and this is much better, IMO) for the exam bonus points, you have to complete 80% or more of the practice exercises verified by obtaining the flag. (The 80% only includes the exercises that are tracked, not the ones you do on your own).
Here’s a snippet of the modules:
Labs
After completing the exercises, you’re ready to hack some boxes! There are approximately 75 lab machines across several networks. To receive the extra bonus points, you have to complete 30 machines and obtain “proof.txt” from each machine, and paste it into the portal. You can obtain them from any of the networks, but I strongly recommend at least a few pivoting machines.
The labs range from quite easy to absolutely brutal. There are several Active Directory ranges (I strongly recommend doing them). There is no set number to how many labs you should do before you test, but it will likely be in the 30+ range anyway. I had 45 roots and feel like it was adequate.
One of THE MOST IMPORTANT THINGS about this process is LEARN. Do not reach out for hints, do not spam the discord trying to just collect your proof.txt to say you got the roots, really understand the enumeration and exploit process. Be curious to understand the inner workings, and the roots will come naturally.
The Exam
As most of you already know, the exam is 23 hours and 45 minutes to obtain 70 points (or 60, if you have bonus points from exercises). Active Directory counts for 40, but they do NOT give partial points for AD compromise. There are 3 standalone servers are 20 each. There was no correlation between the standalone servers and the AD environment. There is obviously a correlation between the different clients within the AD environment though, just like in the labs. Some people prefer attacking all 3 standalone boxes, some prefer AD + 1 standalone boxes. I went for them all, and while I couldn’t priv esc the last standalone server, I compromised the rest (with my bonus points, that should be 100 points).
While the exam itself is not too terribly “”technically” difficult per se, but is difficult to pass due to 2 main gotchas:
- A LOT of enumeration. OSCP boxes have LOTS of rabbit holes that *look* like legit vectors, but are dead ends. The software version might be almost like an exploitable version, but that part might be patched anyway. Obvious ports, like 80/443 are dead ends, up weird ports end up being something to check out.
- Time. You’re racing against the clock. 24 hours to attack 6 boxes (including AD) means that to achieve 70, you need to have a shell OR a p/e every 4 hours to stay on track, assuming no breaks. This is very possible, but it is also easy to waste an hour or two on an attack vector that isn’t valid, or a priv esc method that doesn’t work.
Standalone Boxes
The difficulty required of the servers varied pretty widely. For instance, one of the servers from start to finish took less than an hour. It used a known exploit with no mods, and the priv esc took about 5 minutes. This was, admittedly, NOT the rule though. It seemed like maybe there was an easy, medium, and hard.
Not all of the tests include the Buffer Overflow, but mine did. While I have done the BoF before, I struggled with it this time because it was a bit janky. I ended up getting it after a few hours, but I had significant trouble with part of it and I kept wondering if something about the lab was wrong. This was the only box I could not priv esc the whole way. This whole box was kind of unstable, and once I lost my shell I had to reset and resend the payload.
Active Directory
During my exam, there was only one Active Directory box that was directly accessible. The kill chain required compromising this one and pivoting to the rest. The pivoting was not overly difficult, but I also had to pivot a lot during the eCPPTv2 and PNPT exams earlier this year.
The vectors on the Active Directory machines were roughly the same difficulty as the other machines. In my mind, whether you should go for the AD compromise for 40 points or go for the standalone servers for 20/each is really whether you feel comfortable in Active Directory attacks or not. The AD servers were roughly on par with the lab AD servers.
Wrap-UP
I wanted to conclude with a couple of key pieces of information that might be helpful.
I cannot stress the importance of 1) Don’t overthink it and 2) Try DIFFERENTLY (not harder), again and again if necessary. If something doesn’t work, take a short break and think about it. Don’t keep hammering away at the same thing over and over!
Something that really helped me out was every time I got a shell, I immediately created an MSFvenom payload and created 2 extra shells so that if one froze, I could go in with taskkill or kill -9 and terminate it.
Lean into your priv esc scripts. I think every priv esc I had (one exception that I never did figure out 100%) was in there.
Learn MS priv esc really, really well. Every exam is different, but I only had 1 Linux box, and it was really easy. I’ve had more in the past exams, but either way, you’ll definitely need to know windows p/e.
Good luck, and stay caffeinated!!
