offsec

Introduction

In this post, I talk about why I choose to pursue the OSCP certificate, my penetration testing methodology and some tips and tricks. You know that annoying beginning part of a recipe where the Chef talks about their life story before getting to the actual recipe? If you don’t care much for the life story, please skip to My OSCP Strategy.

How did I get myself into this?

This journey all started back in November of 2019, when I stayed behind to chat with my professor after my Intro to Penetration Testing class. At the time, I was a senior at Ontario Tech, in the Networking & IT Security program. I was also a teaching assistant for the Advanced Networking I tutorial doing some threat intelligence research on the side for a directed studies class.

During my undergrad studies, I was always more interested in cybersecurity than other course topics in my degree. I really enjoyed the networking and programming classes, however, the cybersecurity classes (cryptography, network security, web application security, etc) always piqued my interest.

My Professor, Garrett Hayes had just finished the lecture on Network Exploitation. We covered topics such as ARP poisoning, routing attacks, DoS attacks, etc. There are a fair share of certifications that students in my program usually go for. This includes a suite of Cisco certs such as the CCENT, CCNA, and CCNP. Additionally, some students go for some CompTIA certs like Network+ or Security+. However, there is one cert that everyone talked about, but not many have attempted; the OSCP. My professor holds this cert and would talk to us (students) about it during the many courses we had with him.

I had just landed a junior cybersecurity job at a Bank, and I wanted to up my game, so I could pivot to the red team at some point. After the lecture, I talked with my professor about some things I could do in my spare time to learn more about security. We talked about doing hack the box, and I mentioned that I might do the CEH (certified ethical hacker) exam. That’s when my professor mentioned, “You know, you should try to get the OSCP if you’re serious about this”. This is where it all began. All I had heard about this exam was a few shocking things from fellow students like “it’s a 24-hour exam, you can’t sleep!” or “the pass rate is so low, you need work experience first”. After doing some research and many more chats with my professor (he was very patient with me, thank you Garrett), I decided to pull the trigger and register. My lab time started the second week of December in 2019.

My two concerns

Before anyone does anything risky or challenging, the voice in the back of your head can come up with 101 reasons as to why this is a horrible thing and you shouldn’t do it. I figured out 99 reasons, however I had 2 big ones left. These two issues are common for people who are on the fence about taking the Penetration Testing with Kali Linux (PWK) course, and I hope by sharing them, I help motivate someone to make the best decision.

Concern #1: Why should I do it now? I start my new job in July, let me do it then after I get some experience. Solution: This was just my fear of failure masquerading itself as a “let’s just do it later” idea. There is no better time than now. I had some free time during the holiday break, and a light course load for the reminder of my degree.

Concern #2: “Am I in over my head? I don’t know if I’m ready for this” Solution: My Prof helped me with this one, and he told me to think of this course and exam as an opportunity to explore my security curiosity, and learn things I have never known existed. With this approach, my goal is to obviously pass the exam, however the result doesn’t matter. I am going to come out of this experience as a better security professional. With this mindset, it’s a win-win! As long as I try my hardest, I will improve.

On a deeper note, these high risk, high reward opportunities are hard to identify and do not present themselves often. I figured it was important to step out of my comfort zone and take on this challenge. As I progressed through the course, I didn’t even think of the 24-hour exam. I only focused on learning new things and having fun.

‘The result doesn’t matter. I am going to explore my security curiosity, learn things and have fun’

My OSCP Strategy

I took v1.1.6 of the PWK course, and my lab time started in the middle of December, a few days after my final exams. I focused on going through the PDF first, then starting to root lab machines after the PDF was completed. I took notes using OneNote, however, you can use any note-taking software like Evernote, CherryTree, etc. Just make sure that you regularly back up your notes, and don’t store them on the course VM (it can crash, and result in data loss). I made sure to do every exercise in the PDF. This way, I can submit my lab book for the 5 bonus points. Here is the official OSCP Exam Guide.

I noticed that I was lacking in the enumeration department, and while browsing Reddit one day, I came across AutoRecon. I swear by this tool and recommend it to everyone I know who starts their own OSCP journey. I also enjoyed using the Weevely package to run stealthy PHP shells for compromised web apps. I avoided using Metasploit during the labs. Usually, I would first try to exploit the vulnerability manually, then follow up with Metasploit. After completing my 60 days of lab time, it was time for exam day! I took the day off school, reviewed my notes, and got a burrito bowl.

Exam Strategy

I had my ID ready for virtual verification and made sure to start on time. I first made sure I could connect to the network and took note of the machines. I ran AutoRecon on all the boxes, then started on exploit development. I made sure to document everything, take lots of screenshots, and ensure my notes were backed up. You can’t take too many screenshots! Also, ensure that the IP address information and proof contents are in the same screenshot. I used the OSCP Exam Report template by whoisflynn.

Tips for Exam Day

  • Book your exam early! There are a limited number of spots, and you don’t want to delay your exam date!
  • Get a good night’s sleep before the exam
  • Go for a walk before the exam, or at least get some fresh air
  • Stock up! Make sure you have snacks, water, food, and coffee
  • Take breaks! Step away every hour or so for snacks and mediation
  • Make sure to take a long break for dinner. You can’t hack when you’re hungry
  • Don’t forget to sleep, even if it’s just a nap. Staying up for a full 24 hours will not help you get out of a rabbit hole. If you’re lucky, you might hack in your dreams and root the box when you’re sleeping (just kidding)
  • Have a backup plan in case the internet goes out, power, etc
  • Stay calm. Just follow your routine and normal pen-testing methodology. You’ve done this before, it’s all good. Just Run AutoRecon and take a deep breath, you got this 👍

What would I do different if I were to start this journey again?

  • TJ Null has a Hack The Box list that is made of OSCP-like machines. I would have liked to try some of these out before registering if I had more time
  • Take a Windows and Linux Privilege Escalation class. The Cyber Mentor and Tib3rius have great courses on these topics
  • Buy the case of Red Bull at Costco while it was on sale
  • Watch more videos from ippsec

Final Notes

Below I have documented some influential people and great resources I relied on to complete my OSCP journey