For the past 10 months, I have been entrenched in studying to pass the OSCP exam — a goal that, one year ago, I thought was a distant dream.
What the heck is OSCP? This is from the OffSec description:
The Offensive Security Certified Professional (OSCP) is … the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.
An OSCP has demonstrated their ability to be presented with an unknown network, enumerate the targets within their scope, exploit them, and clearly document their results in a penetration test report.
In other words, it means you are pretty good at hacking into computers through various means.
I did 6 months of “pre-studying” by reading, researching, learning, and hacking away at vulnerable Virtual Machines offered by vulnhub.com. You may have seen some of my walk-through write-ups on this blog.
Three months ago, the Pentesting With Kali Linux (PWK) course began, which is the immersive, self-guided course offered by Offensive Security in preparation for the OSCP exam. This course consumed me, as it required a lot of time and effort to complete. If you are married and have kids, I cannot stress strongly enough the need to get their buy-in before you take this endeavor. You will not be available much during this process!
Not only do you need to get through the 375 page lessons and exercise workbook, you have to do the 8 hours of training videos that go with it. On top of that, you are given access to a virtual lab filled with 50+ computers for you to practice your hacking skills on.
The lab is designed to emulate a real-world corporation, and you are playing the role of the adversary, attempting to compromise your way into each and every machine you can find. In the end, you have to provide documentation of your efforts and successes as if you were a real-world security penetration testing professional hired to find the weaknesses in the company’s network and systems.
Needless to say, all of this takes a lot of time, effort, research, and patience. The oft-repeated mantra of the OSCP course is, “TRY HARDER!”
This past weekend, I took the exam. The exam is a grueling 48 hour test in which you are given 5 computers that you must hack into as far as you can within the first 24 hours. The second 24 hours is for writing up your reports and documenting your efforts with detailed, step-by-step instructions and screenshots on how you did what you did.
Sleep is optional. Sustenance is highly recommended.
I opted to start the exam at 3pm Friday, based on what I had read from others who have taken the test. This gave me enough time that day to gather my thoughts, my notes, and to practice buffer overflow attacks. More importantly, it gave me a chance to nap from about 2am to 5am, which proved to be a much-needed recharge for my brain.
I hacked away for a solid 21 hours with that 3 hour nap in the middle. By the end, I had rooted 3 systems, and had a low-privilege shell on a fourth. I had enumerated the fifth system pretty well, including discovery of some valuable information. Still, I wasn’t entirely sure I had achieved the requisite 70 points (out of 100) to pass the exam.
At 3pm I went back to sleep for a few hours. I woke up about 6, then got to work on the documentation, which I completed around midnight.
All in all, my documentation consisted of:
- All exercises from the PWK course.
- Documentation of 10 compromised machines from the Lab. I ended up compromising a total of 25 machines, but 10 are required to be documented.
- Documentation of the exam machines.
All of this ended up being about 230 pages long!
I submitted everything, then spent most of Sunday snoozing and worrying about whether or not I had passed. I felt like a truck had run over me, backed up over me, then ran over me again. Plus, the anticipation was terrible. Thinking that I might have to go through all of that again was not very pleasant.
I woke up this morning (Monday) to find out that they had reviewed everything, and that I had passed!
A topic of constant debate on the NetSecFocus Slack channel is whether or not people should do the Exercise and Lab documentation, which earns you 5 points on the Exam, or if they should just skip it and go right into the Labs, do the exam, and hope to get more than 70 points.
I am a shining example of why you should submit that documentation. You might need those 5 points to pass the exam, and you are doing yourself a disservice if you skip all that valuable materials in the course anyway. It really teaches you a lot even though it can get rather dry at times.
At some point soon, I will update this blog post with resources and tips for those of you thinking about doing this certification course. It was one of the hardest things I have ever done, but also one of the most rewarding.