OSCP – the road from failing to 105

OSCP Review by d7x - PromiseLabs - d7x's blog

Introduction to my OSCP Journey

Although this post is mentioned to be an overall overview and resource on how to prepare for OSCP, it is kind of targeted to those who didn’t manage to pass on their first attempt. As I am one of those guys too, and that made me make the necessary adjustments in my learning process. There are tons of reviews on OSCP regarding someone getting the certification after their first exam, and I am not one of them. Yes, I failed it. And do I regret it? Hell no. I dedicated to it and learned tons of stuff since my first exam attempt, and this post will be pointed towards those who failed their OSCP exam attempts and what to stress on when preparing how to successfully achieve the requirements for the OSCP certification.

As you would see below, once I adjusted my priorities and learning process, I passed my exam with a full score of 100 points (all targets) and sent a lab report with 40+ targets of the OSCP labs, which formed the title of this blog post.

Try Harder – It’s all about dedication and commitment

The Try Harder approach and mindset that the guys from Offensive Security have developed as one of their main values is a rule you should literally live by while preparing for OSCP. One of my biggest mistakes which lead to failing my first exam attempt, which will be referred to later in this post, was lack of dedication to the course. This applies with full force especially if you got involved with infosec at a later stage and not at the beginning of your career. People who have started earlier have an advantage, but that by no means is something that should demotivate you. On the contrary, it should get you more motivated to get in tact with the penetration testing  methodologies and principles used nowadays in information security. Also remember that it’s not about just getting a certification, it’s about having the confidence to get deep into pen testing and advance further on the subject, as getting a security certification like OSCP is to be considered just the start of it.

It’s not a race

Achievements of others should not demotivate you. Everyone has different conditions to get where he is going. For some it’s harder than for others. And that is just a statement, so do not take it as an excuse. If you want to proceed further with what you’re into, there are no excuses for that.  Remember that guy you saw on linkedin who is in his early 20s, and have gotten all kind of certifications from reputable security companies, like ISC2, Offensive Security, EcCouncil or any other information security related company you may have checked out? Well, there are indeed such – you would see some of them who cheated, and some of them are just talented, and I’ll give you a reference in one of the next sections to some of the guys I truly respect and express my appreciation of their knowledge, which is gained towards research, dedication and self-discipline. Some of the persons I will refer to below regularly post videos or articles related to hackthebox or vulnhub machines, and put much efforts in their own security research as well. No matter how talented you are, still it’s all about hard work shaping it to your advantage. No matter how talented a person is, talent does not work by itself – you still have to do the work.   As a summary to this section I’ll give you the point of view where everyone has his own road to success, you do not need to be like anyone else or like the persons you follow – you can learn from them and use it to your advantage to create your own path. Remember that everyone lives a different life with different conditions – the guys who advanced at an earlier stage in their life either had some kind of a life condition advantage which opened the door earlier for them, dedicated really hard to it, or both. That doesn’t mean they didn’t have their struggles in life in some different aspects.

How much time would you need to prepare?

It’s strongly dependent on the background you have, the skillset you posses, and/or how fast you are able to learn. Everyone learns differently, and everyone learns in a different way. If you feel like you need a month, take a month. If you feel like you would need a few months, you could either buy a few months lab access at once, or upgrade your access depending on whether you feel like you would need more time to exercise. Also there’s nothing wrong with preparing for OSCP for even a year, as long as you have the self-discipline to dedicate and keep learning – the time spent will definitely pay off, I assure you. My personal advise would be to buy 2 months of lab access and use the time spot between your lab access expiry and your exam to read some of the books referred below and to practice on vulnhub and hackthebox machines. As you have 90 days to prepare for your exam after your lab access expires, use at your own will depending on how long you would need to prepare and plan your exam date according to that. My personal preference was to have a month or a month and a half between the lab access end date and my exam. My preference is based on the fact that this gives me enough time to prepare and practice using materials outside of the OSCP labs, and not too much time to get out of the range of the OSCP course syllabus (yes, I tend to do that).

Have your priorities straight

As I’m one of the few people (or at least I’ve not met many?) who is into heavy training like David Litchfield, the author of some emblematic security related books like The Database Hacker’s HandbookSQL Server Security and The Oracle Hacker’s Handbook, and a co-author of The Shellcoder’s Handbook, one of my biggest mistakes while preparing for OSCP was not having my priorities straight. I used to keep a kind of shape armed with an 8-pack all year round for about 2 years on a really restrictive diet, which means that my brain productive potential and efficiency was lowered at that time. Lack of carbohydrates, lots of cardio training and heavy exercise does decrease your efficiency and cognitive power. Once I changed this I was able to pay more attention to security research,  read more books on subjects I felt I needed to fill a blank area needed to be filled, think more effectively, and have a more pleasant experience of the whole process while preparing for OSCP. In addition to this, I’m a motorcycle biker and a beginner windsurfer And did I quit training and hobbies? No, I definitely didn’t, but I adjusted my priorities straight and gave a balance to my whole life schedule, in which security related research, dedication and involvement of the process weighted significantly / a bit more than before (you still do need to cool off occasionally, thus the ambiguity) .  This allowed me to learn much more in a much shorter timeframe. In case you have a job on a tight schedule, then you need to make a schedule fitting your habbits and lifestyle. A good read regarding this is Paranoid Ninja‘s OSCP review post, who had a regular job from 09:00 to 18:00, traveled 2 hours in each direction, and quoting from his post:

“Once, I am back from office by 19:30, my aim was to solve atleast two machines by 24:00. Some days 2 machines, some days 3, in this manner I was able to solve the first 35 machines by 25th of September”

Now all I can say is that’s what a straight schedule and proper dedication means.*

*Please note that as far as I know, Paranoid Ninja did have some security background prior to starting to prepare for OSCP. If you have no such background you may find it hard to keep up with a plan like this. 

Build yourself a methodology

You definitely need to build yourself a methodology and gain the habbit of following it, instinctively. Personally I use tools as nmap (sometimes masscan), unicornscan, dirb, dirbuster, gobusterwireshark, burp suiteowasp zap, and even web scarab, which is a deprecated project, but it still has its practical use. And of course the TCP/IP Swiss Army Knife –  netcat. Remember this is just the main arsenal used most often. There are other tools you would learn by practice along the way. For notes I like cherrytree, because I believe it’s most well structured and it works fast. Some prefer keepnote, or there are these cases where a person would even use vim, which is definitely an overkill unless you have an outstanding short-term memory.

Read some books

Here is a list of my collection, I’ll put an [R] on each books I have read prior to successfully passing my OSCP exam:

TODO: put links on each one. 

OSCP preparation / Penetration Testing Books

Web Application Testing / Network Security Books:

Some additional penetration testing books in my collection:

Buffer Overflows / Exploit Development:

The books which are in bold above are a must-read preparing for OSCP per my own opinion (although you would notice I didn’t manage to read all of the titles which are in bold, however I highly recommend them as I either have read them already or have found pretty good penetration testing book reviews on them). I have listed the pentest books in the order in which I personally preferred to read, but after some research and depending on your background you should build a list adapted to your needs. Some of the titles like The Shellcoder’s Handbook are more applicable preparing for OSCE, which is a course more related to reverse engineering and exploit development, but still I find it useful to have all of this in a list.

Additional Resources and following people dedicated to security

I have starred all the projects I find useful for a penetration testing assessment on my github so you may check out there to see what I have starred. Some of the more important resources that might help preparing for your OSCP exam are listed below.

Online CTF

Vulnhub VM Machines hackthebox

Twitter and youtube security related links

You can also check out the people I follow on twitter. Of course there are many other persons who deserve respect for their security research and achievements, and I’m not that active on social media, but I tend to follow mostly people whose posts are only information security related with some exceptions. Some of the people I pay most respect to are:
ippsecippsec’s twitter  | ippsec youtube
PortSwiggerportswigger’s twitter | Web Security Academy
David LitchfieldDavid Litchfield’s twitter
Paranoid Ninja: Paranoid Ninja’s twitter
0xdf: 0xdf’s twitter
Bernie Lim: Bernie Lim’s twitter
Dan Kaminsky: Dan Kaminsky’s twitter
Emad Shahab: Emad Shahab’s twitter
dostoevskydostoevsky’s twitter
Dawid Golunski: Dawid Golunski’s twitter
Jason Haddix (JHADDIX): Jason Haddix (JHADDIX)’s twitter
x0rz: x0rz’s twitter
Pink_Panther: Pink_Panther’s twitter
Brute Logic: Brute Logic’s twitter
VectorSEC: VectorSEC’s twitter
m3g9tr0n: m3g9tr0n’s twitter
g0t mi1k: g0t mi1k’s twitter
ropnop: ropnop’s twitter

and others, you can check out on my d7x’s twitter for a full view of who I follow

This is by no means an excessive list and it’s in absolutely random order. I’ve mentioned those who are either mostly active with security related tweets and/or have some kind of extra contribution to the security community.

Following people on twitter with your area of interest will help you come across additional security resources which otherwise you may have missed.

In case anyone listed above wants me to backlink your website or youtube channel just message me on twitter

GitHub

GitHub has some great security related stuff. You may follow me on github to see what I’ve starred and pick some projects of interest.

One of the most powerful and systematized OSCP resources I have seen on github is
 swisskyrepo’s PayloadsAllTheThings – A list of useful payloads and bypass for Web Application Security and Pentest/CTF

You may also find some additional resources on CyDefUnicorn’s OSCP-Archives

Penetration Testing cheatsheets

I prefer to build my own penetration testing cheatsheets, however there are plenty of them online so you could search for one that fits your style and stick to it.

https://www.pentestmonkey.net
d7x’s penetration testing cheatsheet

Security Articles, videos and security guides



Basic Linux Privilege Escalation
Windows Privilege Escalation Fundamentals
Encyclopaedia Of Windows Privilege Escalation – Brett Moore (that’s a must watch!)
Level Up! Practical Windows Privilege Escalation – Andrew Smith

The following resources were provided by Offensive Security:

A few resources that may help you include:

Complete guide to the ‘Alpha’ machine in the labs – https://forums.offensive-security.com/showthread.php?t=4689
Vulnerable VMs www.vulnhub.com

Privilege Escalation:
Windows Privilege Escalation #1 –
(http://www.fuzzysecurity.com/tutorials/16.html)

Windows Privilege Escalation #2 –
(https://toshellandback.com/2015/11/24/ms-priv-esc/)

Basic Linux Privilege Escalation –
(https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)

Preparation for the exam

If you got reading this far, then congratulations – you kind of achieved the most important step – dedication and commitment to your research. Prepare to read articles like this – read lots of them, and longer of them (as long as you keep the syllabus you prepare for in rage, a longer article means either plenty of quality and detailed information or too excessive and out of scope information which is not worth the time you would spend to research at this stage, either skip or bookmark for later if you find it a subject of interest) . OSCP is a hard exam, but it’s not the final line of a destination but more like a step further and that’s what you are involving into – many people have already said on twitter and referred to OSCP as an introductory into security in depth.

Prepare a list of your mistakes

I literally had a list of the possible mistakes I’ve made when failed over my desktop background image. I truly believe some of the guys who proctored my successful OSCP exam attempt probably laughed about this, but it was my way of what to pay attention to when I get stuck. Some of this included a short methodology on how to do something specific, and some were just statements like the following related to rabbit holes:


“Do not expect the same result while trying the same thing”
“Avoid rabbit holes”
“This is OSCP, not OSCE (stick to the syllabus)”


Please note that these are related personally to my habits and my own way of thinking, so if you are building yourself a list like this you should adjust it to fit your style and way of information processing.

Have your notes prepared

While you are hacking boxes around into the Offensive Security’s labs you’ll find yourself building new ways and methodologies of doing stuff – write these down, you have no time for research on the exam. The feeling of getting into using some stuff you researched is great (and of course there are always the times that you get a headache, but these moments make you build an instinctive pattern on how to research).

My advice is whatever you could think of that can be prepared for the exam – have it prepared. You may either miss it or due to the stress conditions you may get confused otherwise. Once again, you have no time to do a detailed research or research in depth on the exam.

The given deadline for the exam of 23 hours and 45 minutes given by Offensive Security is more than enough if you know what you are doing, and if you have exercised as much as you can prior to taking the exam.

You can also use my pen testing cheatsheet which includes pivotingcurl, imapsedshellsprivilege escalation, and Web Application / SQL Injection

Follow a proper diet, related to the brain endurance requirements


This is definitely a subject most people either neglect, or are ignorant about.

While this is by no way a physical exercise, it’s a brain exercise, and a very heavy one as well. Even people who have decent background and go for the exam may find it hard to complete all the tasks on all targets within the required time frame, which is 23 hours and 45 minutes. Once it is complete your vpn connection just drops, and you have an additional 24 hours to send your exam documentation in the form of a penetration testing report.

With the above said, what relates is that the exam is not that hard just by itself, but one of the things that makes it this hard is having a limited time on the exam.
You’ll need the endurance to either be really, really effective in what you are doing, or you’ll need these hours to stay awake as much as possible and put sleep as a lower priority and fuel your body with energy or otherwise said lots of calorie intake (quality long-term energy, not candies or chocolate – continue reading). What this means on a diet level is that you should stuff yourself with complex carbohydrates and high-calorie foods as much as you can before the exam.

My summarized advice regarding achieving the most enduring state for your body is as following:
  • Eat plenty of complex carbohydrates the day before the exam (rice and potatoes are best, as they are one of the most long-term energy providing food)

  • Avoid energy drinks, both prior and during the exam. They will give you a quick jumpstart at the beginning, but once their effect goes off you will find yourself much more energy depleted, nervous, and inefficient. This means you will fill the need to stuff yourself with more caffeine or energy drinks which would lead to a vicious circle.

  • Eat plenty of complex carbohydrate foods, but do not eat big quantities at once, split it into smaller chunks – having a small meal every 2-3 hours is good, if you have been hitting the gym you would already know this.

  • On the exam, avoid simple carbohydrates and sugars – this means no chocolate or candies. You will be under stress and you will really feel the need to eat some sweets when you get stuck and exhausted, but this is actually your mental relief disguised by the insulin level devil. When you are under stress your body relieves more stress hormones – adrenaline and cortisol raises, your nervous system is more aware, and your glycogen is getting depleted. Your body will need to fill this up and there goes the need for it to eat something sweet to fill up your glycogen and adjust your hormone levels due to the excessive stress.  What happens if you do is  you will relieve the stress, your glycogen will get filled instantly, and your insulin will raise rapidly. This will give you a short energy kick-in, which would have an opposite effect after about half an hour to an hour later at most – you will feel sleepy, lazy, tired and demotivated. You do not this on the exam, so be a man (even if you’re a girl) and save it for after completing the exam, the timeframe while preparing your report and prior to sending your OSCP Exam documentation.

  • You can drink caffeine (I’m really a caffeine addict, I admit), but do not overdose – proper food is of much more help.

  • If you feel sleepy and tired, eat a fruit with low Glycemic Index – personally I prefer to make a fresh of two oranges and grapefruits, mixed together

  • Nuts are great for your brain, especially walnuts and almonds, have plenty of calories and no extra sugars.
    (these do not work instantly like fruits, and will probably take a few hours to kick in)

  • If you are doing well with the timing, remember to eat before you feel tired. It’s much better refueling before your calorie intake gets depleted.
    (otherwise you may feel too exhausted to even get to the kitchen, if you get to this point look at the post main picture)

  • Have these (fruits, nuts, meals and whatever you think would work for you) prepared before the actual exam – I believe It’s clear and obvious that you do not need to waste time going to the store.

 Schedule your exam early and plan ahead

You definitely want to schedule your exam early and plan ahead. With Offensive Security‘s courses, weekends are scheduled pretty fast and you’ll need to plan at least a month ahead, probably even more. Personally I scheduled my exam for Friday night (local time), as I feel more efficient during the night, and my plan was to do one or two of the tasks, get a short sleep to cool off and avoid overheating, then go on with the other targets the next day. It barely worked like this, but I tried.
(well it actually kind of did but undeniably not with the timing I expected)

Shortcut keys

In order to avoid wasting time clicking around, I placed shortcut keys for all actions which would require additional time, like for taking shortcuts. Bind a key combination for this with keys close to each other, so you could make it almost instantly without wasting even a second. Some people prefer taking video sessions of the whole exam, however I find it ineffective scrolling through a video to find what I need, so I did both. I took a screenshot of everything needed to meet the requirements of the OSCP Exam Guide . In addition to that I recorded a video session of the whole OSCP certification exam in case I missed something.  

The actual OSCP Exam

Be organized

One of the most important things on the actual exam is to be organized. I built a summary of the tasks I needed to complete in my notes file and followed it. When I complete a task I have the habit of striking it like this so that’s what I used to state a task as completed. This lets me focus on the stuff remaining to do and avoid unnecessary distractions.

Be efficient (do stuff in the background)

If a task takes longer than a few minutes, you do not need waiting for it to complete. Just put it in the background and do something else you could observe while the backgrounded process finishes. One of the most important skills the OSCP exam tests for is your efficiency on how you plan your timing and how you are able to combine tasks within the given limited time and do things in the most possible efficient way. Anything that can be left over for later –  leave it and come back after you have done enumeration of something more instant.

Speed is important

While Offensive Security recommend to use their VM, in case you lack the hardware needed for it to run properly I suggest setting up Kali as a host machine. You could buy an additional hard drive and configure it to boot from a flash drive like I explained in this blog post.

I hate working from VMs when doing important tasks and I really appreciate the power of hardware performance when it comes to speed so I just set up the last version of Kali and upgraded it.

Of course, this is my personal preference and most fellas prefer to run it form a VM. Nothing wrong in either way as long as it runs properly on your box.

Avoid rabbit holes

One of the biggest mistakes I experienced was getting into rabbit holes. A rabbit hole is something that might look quite appetizing as a vector, but it leads you to an either irresolvable situation, or one that would take much more to complete than you actually have. This is why you should do a

Detailed enumeration

Try to do a detailed enumeration on each target and be patient with your attack. Of course, if you are sure something is attackable – attack it. But likewise said above, OSCP is by no means an easy exam no matter how strong of a background you have.

Prepare some music that motivates you

Music is a great motivator. Prepare some stuff you like for hacking and when you feel like you need a push play it. Try to have fun of the whole process. As my exam was proctored it was probably quite obvious at times that I was having a pleasant and positive experience. I even got so involved in the music from the Matrix that I decided to run tons of tasks at once and my 8-core CPU stuck. I believe there were times during the exam some of the proctors might think I was on cocaine.  It was all quite natural as during that time I was literally having fun hacking around, like I just went for a friday night amusement. Of course, those moments were a few until the exhaustion kicked in, but I’m really greateful I experienced them. It was one of the most entertaining and at the same time brain torturing nights of my life. Do not overkill with mentally heavy music or have some rest when needed – your brain will be processing lots of information and as much as it can motivate you it can as well tire you.

Have some help

You may appreciate having someone supporting you during the exam – be it to have a conversation with when you get stuck or just to have someone to motivate you, to make you a cup of coffee, or a fresh grapefruit and orange fruite juice (or whatever you prefer) – this will save you time and help you to be more confident during the exam.

Be patient

Be patient for results. Now is the time to cool off and get back to your hobbies, look at the stars at night or get back to your hobbies, anything that might help you not getting obsessive as I did. As much as you want to learn your result instantly, the guys from Offensive Security state in the OSCP Certification Exam Guide that results are received within ten (10) business days after submitting your documentation. Please note that at the time I was taking my exam this statement was up to 5 business days, then I believe there was a time they changed it to 7(if I’m not too lazy tomorrow I’ll check this on waybackmachine), and looking back it was 3-5 business days. As my result was a bit delayed I emailed offsec to ask a about it, and I have been putting so much effort into passing the exam that I got paranoid and obsessive and thought that there is an issue with my results. Having in mind that I completed all the targets with a full score of 100 and additionally submitted a lab report with 40+ targets it was kind of agonizing waiting that long for the results. The OSCP Exam guide now at the time of writing this states that you should be getting your OSCP certification exam results (pass/fail) within ten (10) business days after submitting your documentation.

My OSCP Exam

My exam was scheduled for the 5th of July on 2019, Friday night. Being that organized really helped and I started working on each task as described in my summary sheet. I got a bit panicked with the first task I went for as it didn’t go in as slight way as expected, but it’s actually what the Try Harder mindset is all about – keep trying even if you get stuck, change something or try a different approach. I completed the last target the next day about 10-15 minutes prior the end of my exam and got a full achievement of 100 points. Additionally I had a lab report prepared so with the proof files of all the targets this scores for a total score of 105. Offensive Security does not actually provide your exam score, but having in mind how many proof/local files you’ve got you could easily calculate it, having in mind you have met all the OSCP Exam restrictions that take place on the exam. I received my exam result on the 16th of July which is about 5 or 6  business days after I sent my documentation (Sunday night, 14th of July). Not sure if this is to be calculated 5 or 6 days, but still the waiting was worth it:
Offensive Security - Exam Certification Results - d7x - PromiseLabs blog
Offensive Security Email – OSCP Certification Exam Results – d7x’s blog
 
OSCP Exam cpanel – a total score of 100 points
I’m not sure why the above screenshot is stating I sent my first proof file in 19:57 as my exam was starting at 20:00, but I believe as you need to get 15 minutes to make to proctoring check my exam either has started a few minutes earlier, or the time zone is reported remotely. The latter is most probable, as I do not remember getting a target that quickly.  

Conclusion

OSCP is a great journey and anyone interested into Penetration Testing and Information Security should get his hands on it. The most important thing to remember for a successful pass of the OSCP exam is that you have to dedicate to itespecially if you have no additional security background. The feeling of getting an email from Offensive Security with positive result of successful pass is something great to experience, and remember that this should be taken just as an additional step further into the security field – although it is quite a big step, there are biggers you could make and that’s what I’m currently aiming for.

If you got this far you either found this post interesting or you just scrolled down – no matter what in case you are one of the guys currently looking on how to prepare for OSCP  – my advise is shape your skills, dedicate to it, and have fun during the process. Good luck on your OSCP journey!

Interesting facts:
  • I’m a caffeine addict – I probably had about more than 10 cups of coffee during the exam timeframe. I drink my coffee without any sugar in it.
  •  I probably had about 5+ liters of orange and grapefruit juice during the exam timeframe
  • I paid extra attention to my diet and adjusted it for brain endurance
  • I adjusted my workout schedule as a lower priority during my exam preparation
  • I slept between 4 and 6 hours during the OSCP Exam timeframe of 23 hours and 45 minutes and was taking short breaks occasionally, mostly between gathering each target proof files