I am finally an OSCP! – Here’s the Story

I am finally an OSCP! – Here’s the Story

I am finally an Offensive Security Certified Professional!

Hey Everyone, it is Matt here, and I know it has been a super long time. Since late June. I have received many messages from folks asking how it’s been going, and as the title reads, the journey is over! Finally! I have constantly thought about my blog along the way, and I know I have neglected it. But, I have been diligently working everyday, and I truly wanted my next post to be a celebration post. It is finally here!

 

A Quick Summary:

For those of you who haven’t read my past posts, I started the OSCP Course May 26th, 2018. I have been working every single day since, and two days ago, Tuesday September 4th, I took my 2nd exam attempt and passed with flying colors! On my last post I had rooted 30 boxes, and wow that is nothing compared to where I am at now. So, here’s the full breakdown:

 

Starting where I left off:

After my last post (30 boxes rooted) I continued to work through the lab machines, and I scheduled my exam for July 31st. I finished every single machine in the labs (about 55) by Mid-July, and utilized the next two weeks or so to go back and re-root the machines I struggled with. In total, by July 30th I had rooted every single machine in the labs, and I had re-done about 20. Additionally, I had re-familiarized myself with Buffer Overflows (Really good idea!) in preparation for the exam.

 

Exam Attempt #1

July 31st,  8:00am:

I woke up two hours early before my exam, an anxious wreck. I don’t get anxiety much, but this was seriously one of the worst days of my life. For two hours I tried to calm myself down, get some Starbucks, drive etc. By 9:55 I was only 5 minutes off the email, and I couldn’t think straight at all. Normally I handle pressure very well, but not today!

July 31st,  10:00am:

In true Offsec fashion, my exam email arrived right on the dot. 10:00 o’ clock. This was a pretty short and sweet email giving my the download link for the VPN, Control Panel link, and a couple of pointers. After getting everything configured (only about 5 minutes) I pulled up the Control Panel, read the objectives for the first machine, and I was off to the races!

Note: For those of you wondering, the Control Panel is completely different from the one provided for the PWK Course, and so is the VPN connection! Additionally, you do not get to keep your same IP Address that you have had throughout the whole labs, so be prepared for a different one! Memorize it!

July 31st,  12:00pm:

Two hours into the Exam, and it’s not looking good. I tried to get the 25 pointer (Not the Buffer Overflow one), and I was failing, hard. This machine wasn’t complicated, but it had a huge rabbit hole that I got sucked into. Also, I just couldn’t think straight. After deciding to table the 25 pointer for now, I re-focused my efforts on a 20 pointer. I scanned out the system, and once again, I was struggling! Hard! I decided to take a breather and come back with a fresh mind.

July 31st,  12:30pm:

After about a 30 minute break, I came back and decided to do the Buffer Overflow machine. After about an hour, I successfully compromised the target, and I had obtained 25 points! Confidence Boost! (Short lived!)

July 31st,  1:30pm:

After this Buffer Overflow machine, I decided to re-attack the 20 pointer that I had attacked earlier, and after another hour or so tinkering I got a shell! Whew!

July 31st,  2:30pm:

Currently 4:30 hours into the exam, with one root and one low level shell. I decided to attempt privilege escalation, and man it wasn’t working out. I played around with privilege escalation for about an hour and half before tabling it.

July 31st,  4:00pm:

I decided I wanted to add up some more points, so I went after the 10 point machine. It took around 30 minutes, but I got root access pretty fast, which brought my points up to somewhere around 45! I was feeling better, but I think at this point I knew it was probably over.

July 31st,  4:30pm-2:30am:

This was the most brutal time period of the whole exam, and I actually felt like puking. I rotated from the low level shell, to the 25 pointer, to the other 20 pointer. Over and over and over again. After many hours, I finally obtained a root level shell the original 20 pointer, which brought me up to 55 points. Now I had a battle between the 25 pointer and the 20 pointer. I worked up until 2:30am, but I just couldn’t get anywhere. So, I went to sleep.

July 31st,  7:00am:

I woke up at about 7:00am with about 3 hours left. Once again, I worked on both of those machines, and still nothing. My exam time cut out at the designated 23 hours and 45 minutes mark.

 

The Aftermath:

For starters, I felt cheated. And to an extent, I still feel cheated on that attempt. The exam machines are truly on a different level than the lab network, and I believe there is definitely a lottery  within the exam. What I mean by this is that some 20 point machines are a lot more difficult than other 20 point machines. Undoubtedly. Same thing goes with the 10 pointers and 25 pointers. Even though my points weren’t too far off of passing, I felt like I was a mile below where I was supposed to be. This really got to me as I had completely every single lab machine, and I turned around a re-rooted 20! Though, after a few hours of pouting, I decided it’s time to be productive and learn from my mistakes.

 

What Next?

After the failure, I decided I had learned enough from the labs and it was time to branch off. Here’s what I did, and it was the smartest choice I could’ve made: Hack the Box VIP Subscription. Some people may argue that Hack the Box is different than the OSCP because it is more CTF’y, but that is not the case. It is a little more CTF like, but it is an awesome platform to learn and develop your skills, and I attribute my success to this platform. As I had rescheduled my exam for September 11th (It was the soonest time!) I had about 40 days to study. I started doing lots of retired Hack the Box machines, and watching IppSec’s videos on Youtube, you can find his channel here. IppSec is a great teacher, and going through as many retired machines as possible really helped me. Stick around the mid level difficulty boxes and you’ll learn a TON! Even if you finish a box without needing IppSec, watch his video on the box to gain another perspective. Often he will go through multiple priv esc methods etc.

What I needed to get stronger in:

  • Organization with terminals. (Tmux for the rescue!)
  • Privilege Escalation (Both Windows and Linux)
  • Web Application Attacks

 

After running through a gambit of retired and active Hack the Box machines, I had dramatically increased my Privilege Escalation capabilities, and now I actually look forward to Priv Esc where I used to dread it! This is the catalyst that allowed me to smash the exam on the second attempt! Only a few days ago, I checked the exam scheduling calendar, and I saw an opening for September 4th at 4:00am. So, I took it!

 

Exam Attempt #2 (Success!)

This attempt was simple. It sucked that it started at 4:00am, but I managed. I woke up right at 3:45am much calmer than before, and generally, I knew what I was coming. The email came at 4:00am, and I once again setup everything and was off to the races. I immediately tried attacking the Buffer Overflow machine, and I got my exploit working within my test environment, though it wasn’t working on the target. Not a good way to start off the exam… I switched terminals to my scan of the other 25 point machine, and had good feeling in my gut. Within less than 30 minutes I had a low level shell on this box, and within another 10 minutes I had root access. Additionally, within the gap time of my exams I did do the report. So, within about 2 hours I had managed to get myself 30 points without the Buffer Overflow box. I took a 20-minute walk to stew on the Buffer Overflow issue, and right when I sat back down at the desk I immediately figured out the answer! Bone head move on my part! Within 5 minutes I got it straightened out and I obtained 55 points!

This time around it was clearly looking pretty good. By about 6:30-7:00am I was rocking with 55 points. I tossed a scan on a 20 pointer, and took another quick break. I came back, started my deep enumeration cycle, and within an hour I had obtained a low-level shell. 65 points! All I needed to do was privilege escalation this machine, or root the 10 pointer and I was golden! My Hack the Box experience majorly helped here, and I found the privilege escalation hole easily within 30 minutes. I was really proud of myself here, because this was definitely supposed to be a hard priv esc, but I found it super quick! Give me a few more minutes on getting this priv esc to work, and BOOM! ROOTED! 75 POINTS!

At this point I got up, probably screamed a bit, and was ecstatic. It was around 8:45am or so, and I had passed! Only about 5 hours of work the second time around! I went out to breakfast to celebrate, and came back full and happy. Though knowing myself, the itch returned to do better. So that I did. I turned around and popped the 10 pointer to get myself up to 85 points, and then I scanned out the other 20 pointer, and got myself low-level user credentials. After successfully rooting 4 machines, and exploiting the 5th for low-level credentials (though not a shell) I decided it was time to focus on the report. Fast forward a solid amount of hours, and I was submitting my 40 page exam report, and 110 page Lab + Exercise report. I emailed Offsec at about 5:00pm Tuesday night, and I received a receipt acknowledging they had received my documentation at midnight.

The wait…

I know most of you are thinking why would this suck? But it did. I knew there was virtually no way I didn’t pass, but I was still in limbo. Luckily, Offensive Security wasted no time, and at 8:00pm Wednesday night (Only 27 hours after my submission) I received the best email ever:

Dear Matthew,

We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.

I’ll be honest about it. I freaked out a bit. It felt like a 50 pound weight was lifted off of my chest, and I was outside and just started sprinting out of pure happiness. I immediately sent out texts to everyone in my network, and watched the congratulations flow.

 

What I learned:

  • Anyone who completes this certification has determination and perseverance that is second to none. I would be happy to work with any OSCP.
  • This certification taught my personally a lot about perseverance, and dealing with insane levels of stress!
  • Obviously, this certification opened my eyes to the world of penetration testing, and I will only continue to get better.

 

For the future:

I feel like there is a hole in me now, and I need to fill it soon! So, I am planning on enrolling in the WiFu/OSWP course in a couple weeks. Additionally, I plan on producing a lot more great content on this blog, and I already have a bunch of great stuff lined up with BadUsbs, and a detailed explanation of my new Pfsense home network, so stay tuned! Lastly, I am thinking about writing an eBook around the OSCP. As I have 100% lab completion, I would love to help out others and create a detailed hands-on book for OSCP preparation, and past OSCP students who need to stay sharp. This book would share my knowledge gained, and would be a practical guide for all the needed information to pass the OSCP Exam and be successful in the labs. Please let me know if you guys like the idea, and if so, I’ll get started on it right away!

 

I promise another post soon. Until next time. Thanks for reading.

-Matt

10 thoughts on “I am finally an OSCP! – Here’s the Story

  1. Nice work Matt!! Congratulations!
    I would love to work toward the OSCP, but I know I am NOWHERE ready for it. Just the idea of preparing for it is daunting.
    But to read this — it stirred up a new fire to prepare. I do really hope you go for writing up a OSCP Preparation guide of some sort. The pointers you just gave (HtB VIP sub & Ippsec channel) are new to me, great to know.

    Way to go!
    p.s. If I could offer any guidance or help in you getting something published, I might be able to help you there.

    1. Hey Jeff! I would love to reach out to you about publishing! I truly know nothing in that domain. I’ll shoot you an email straight away!

  2. Hey, congratulations on passing I’m currently going through OSCP as well so I know how you must of been feeling through the labs. I think it’s a fantastic idea to write a book up especially with so much skill to root all boxes, let me know when you get it published and I’ll happily buy one straight away!

  3. Hi there

    I came across your blog on techexam forum. Congratulations on your OSCP and it would be great if you plan to work on the ebook.

    I am working hard on my ecppt now and hope to clear it and move towards OSCP.

    Thanks!
    David

    1. Here is the list of HTB Machines I have done! All were worth it:
      Active, Artic, Bank, Bounty, Calamity, Celestial, Charon, Crimestoppers, Dev0ops (Still priv escing now), Haircut, Jerry, Joker, Lazy, Mantis, Mirai, NIbbles, Ninveh, October, Poison, Rabbit, Secnotes, Sneaky, Solidstate, Tally, Tenten

  4. Congrats Matt your experience is good and thanks for share it. And it is very good idea to write ebook about your experience. ı am waiting for your book

  5. Lewis, congrats on your certification. Was curious if you can provide a bit more feedback. I use you for inspiration. Any advice on some good enumeration techniques and and scripts you may have found to be most useful? Preexploit and post? What advice can you give on priv escalation? You said that that eventually became your bread and butter and became easy for you. Congrats again!

  6. Hey Matt! Congrats man. This is one of the best series OSCP related I’ve read so far. You really covered since the very beginning until you achieve the success. I’m about to start my journey next march.
    I have a question for you. It’s been like 3 months since you passed the exam. In what way do you think OSCP changed your career/life?
    Once again, congrats for the achievement.

Leave a Reply

Your email address will not be published. Required fields are marked *