When I first ventured into the Information Security sphere, I wanted to obtain relevant certifications that could help boost my chances in getting an entry-level job that is Infosec related. I then realised that there are far too many Infosec certifications out there, so which to choose? My senior back then told me that most people would opt for the CEH, as it is a common criteria that most HR personnel look out for. I went ahead and took the CEH, followed by the ECSP and then the ECSA, but deep down, I felt that I have not learned anything new, as it was hardly challenging. Most of it was just memorising answers. Also, the credentials of that particular certification body is questionable and frowned upon by the general Infosec community due to various scandals and hacking incidents that happened in the past. To be honest, I am not proud to be holding those certifications.
I then decided to take ISC2’s most entry level certification, the SSCP. This was slightly more challenging as the questions are scenario based. Still, there was zero hands-on, all theory. I then started looking out for hands-on training that are available in my area. If funding was not an issue, I would have opted for some of the SANs courses like GPEN/GXPN/GREM. From what I heard, the training is top-notch quality, but the exam is still multiple choice.
One lucky day at one of the SANs Singapore community night event, my good buddy told me that he has recently enrolled in the OSCP course by Offensive Security. That was when I got to know about the various courses offered by Offensive Security. When I got home that night, I did my own research on the courses offered and was pleased that the pricing was not too expensive and that I could attempt the course from anywhere, as it was all online.
I embarked on my OSCP journey in the month of July 2014 and it is clear that the Offensive Security Certified Professional certification is by far the most insane as well as the most rewarding achievement I have accomplished. The OSCP course, lab and exam takes a totally hands-on approach and is not like your usual certification examination with multiple choice questions where guessing certain answers will work with a bit of luck. The final examination is a gruelling 24-hour affair in which you have to own boxes in a small network.
Take and complete the OSCP course if you want to excel in penetration testing. You will definitely pick up a lot of new skills and tricks, and learn to look at scenarios from a different perspective.
0. OSCP Timeline
- 8th July 2014 – Enrolled
- 13th July 2014 – Course started
- 11th September 2014 – Lab time expired (Did not attempt the labs at all)
- Huge gap from 11th September to 8 December was due to job transitioning
- 8th December 2014 – Attempted exam, failed (Did not want to waste the exam attempt)
- 27th January 2015 – Renewed lab time for 15 days
- 11th February 2015 – Renewed lab time for another 30 days
- 13th March 2015 – Attempted exam, passed!
1. Experience prior to taking the OSCP course
I had basic penetration testing experience when I first enrolled for the course. The main goal was to gain more knowledge in penetration testing so that it can facilitate my career switch from an information security analyst to a penetration tester. Obviously, I got my money’s worth and much much more from the course. I was involved in a series of internal vulnerability assessments, internal penetration tests at my previous role, configuring SIEM detection rules, firewall rules and doing daily system administration of linux and windows servers. I believe it is possible to complete the course with little to no prior security related background, as all you need is sheer determination and a passion for Infosec.
2. Course Registration
I will not be describing much about the registration process as there are numerous reviews out there that contains that information. Basically, I signed up for the 60 day course, followed by a 15 day extension, and another 30 day extension.
I was excited when the course materials arrived, and dived into it immediately. The videos are clear and concise, making it easy to understand the material without much difficulty. I took roughly 45 days to complete viewing all the videos and completing the course exercises that were in the PDF. Your mileage may vary, I have seen folks completing everything in 30 days, which I personally find to be an awesome accomplishment. I felt that I was not too familiar with some of the tools and concepts, and decided to take a longer time to understand the concepts and practise on shell scripting. The remaining 15 days were gone to waste as I was busy with personal as well as work-related stuff. It is important to make sure that you have allocated time for the course and labs, as each day wasted is approximately USD$10!
After my lab time has expired, I did not find time to get a renewal. One day when I was checking through my email, I opened the expiration email and saw that my examination attempt was going to waste. I decided to schedule it to get a glimpse of what the examination is like, instead of letting it expire. I will elaborate more on the exam in point 5. Bottom line is, I failed that attempt as I have only gathered approximately 50 points (1 root and 2 limited shells). 70 points were needed to pass the exam.
The labs is where all the fun is at. After the failed exam attempt, I was quite demoralized and decided that I will attempt the exam again only after I have at least obtained root on some of the machines in the labs. When I renewed my lab time, I was amazed by the size of the lab network. On hindsight, I should have spent most of my available time in the labs rather than aiming to complete all the course exercises. One by one, I managed to root the boxes in the labs. Sometimes it would take a few minutes for the low-hanging fruits, and several days for the really hardcore boxes like pain, sufference, humble, timedev etc. The more I progressed in the labs, the more addicted I became. I ended up unlocking all 3 networks with approximately 47 boxes with full root access.
Since I have attempted the exam once, I knew roughly what to expect. I was not as lucky as some of the folks to get multiple examination boxes that are the same as their previous examination attempt. All but one was new! The box which I got previously was the box I dreaded, because I have spent 12 hours on privilege escalation without success. I panicked a little but decided to do my best.
First, I did enumeration of the 5 boxes. After 2 hours in, I got an easy win with one of the 20 point linux box. I then referred to my previous exam report and got a limited shell on the windows box that I have attempted before, and left privilege escalation for that last. I then proceeded to work on the exploit development box, which was not too difficult as I have successfully completed a similar box in the previous examination attempt. It was just using the same concepts taught in the course videos, just on a different vulnerable software. Before I know it, 12 hours have passed and I still have not raked enough points. I was starting to panic. I then used my Metasploit chance on a 10 point box, worked the next 8 hours on the limited shells I had and finally decided that I should have enough points to pass. I was uncertain how much points will be given for a limited shell as the marking scheme only indicated point values for full administrative access. I was really exhausted at this point of time and I decided that it was probably enough. I then went to bed, slept for 12 hours and woke up to complete the exam report. I had created my lab report one week prior to the exam, so I did not have to rush. The exam report took me approximately 3 hours. After checking through the reports several times, I submitted them and went to grab some beers as a mini celebration.
3 days later, I got the email indicating that I have successfully completed the course. I was overjoyed! To those contemplating on whether to take the OSCP course, do not hesitate further. To those in the process, do not give up and always try harder. Cheesy, but effective.