During the last 3 months it was more quiet than usual on Hacking Tutorials. In this period less tutorials and articles were publish on Hacking Tutorials but there was a very good reason for that. For the last 3 months I have followed Offensive Security’s Penetration testing with Kali Linux (PWK) course and got certified as OSCP. In this article I will be reviewing the courseware, the labs and the brutal 24 hour exam. We will also look at which prior knowledge would be beneficial during the course and how to get this knowledge. We will conclude this article with some tips and hints that helped me passing the exam.
OSCP courseware and videos
The Penetration testing with Kali Linux courseware contains a PDF file and instruction videos on all subjects. The course covers many different subjects such as passive and active information gathering with many different tools but also writing simple buffer overflows exploits for Windows and Linux and privilege escalation techniques for both operating system. You will also learn about exploiting web applications, perform password attacks, tunnelling and how to use Metasploit. The full course syllabus is available here:
It is helpful if you have prior knowledge of networking basics, scripting/coding and maybe some hacking and enumeration techniques in general when you start the course. Every subject is explained very well in the courseware and starts from basic. However, you really need to learn a lot during this course in a very limited timeframe. Especially when you do this course beside a full time job like most of us. Any prior knowledge will speed up the learning, lower the learning curve and save you some time.
Tips for the OSCP courseware
- Follow the courseware first and then start practicing in the labs.
- Use additional sources to learn more. A list of great online and offline sources is at the bottom of this article.
- Join the offensive security PWK forums and social media and talk to other people. You can learn a lot from other people too, especially when you have little or no practical experience on the subject. InfoSec is often a passion and a way of living so people are often quite nice and willing to share information and educate people who share the same passion (read last paragraph for what questions to ask and what not).
The best part of the learning path to OSCP certification are the labs. The OSCP labs contain several networks with over 50 servers to practice your ethical hacking skills on. The operating systems on these hosts vary from Windows XP, Windows 2008 server and Windows 7 to different Linux/Unix based operating systems such as Debian, Ubuntu, CentOS, FreeBSD, Fedora and more. Some operating systems are old (there’s even a Windows 2000 server) and some are very recent like Windows 8.1 The lab also contains several clients performing automated tasks which can be targeted to learn about client side exploitation.
The main goal for each machine is to get a shell on the machine with administrator privileges and collect the contents of a proof.txt file on the Desktop. Some machines contain a networksecret.txt file besides the proof file. These machines are configured with a second network adapter which allows you to use the machine as a pivot point and access an otherwise unavailable network. The contents of the network secret files allows you to revert machines in other subnets from the student panel. The OSCP student panel is accessible through the VPN connection and is an interface to revert machines, use Offensive Security’s Crackpot and to (re)schedule your exam.
Every host on the lab contains one or more known vulnerabilities, varying from local file inclusions (LFI), backdoors and SQL injection to remote buffer overflows, default passwords and remote file inclusions (RFI). Privilege escalation is often performed through exploiting OS and application level vulnerabilities but also trough misconfigurations such as incorrect user privileges on files and services. After proper enumeration and assessing the vulnerabilities you have to exploit them in order to get a limited user shell, sometimes directly a root shell or information which will lead to any of these. The vulnerabilities together have been setup very well and often you need to exploit a clever a combination of them to get root or administrator access. I must say that Offensive Security has done a great job on setting up these labs.
Metasploit and automated tools
The use of Metasploit is limited during the OSCP examination, although it is advised to get familiar with Metasploit and practice using it on the lab machines. You are allowed to use it on one machine during the exam which is often considered as a lifeline by many people. Personally I’ve often used both ways to exploit vulnerabilities, first manually and then with Metasploit if an exploit module was available. Using automated (commercial) vulnerability scanners, such as Open-VAS, is strictly forbidden on the exam. Using them in the labs would be wasting your learning experience when it comes to enumeration and vulnerability assessment as this part of the penetration test is automated.
Tips for the OSCP labs
- The student forums contain a walkthrough written by Offensive Security for machine 71. Follow it to get a clear picture of how to conduct a penetration test from enumeration to privilege escalation and post exploitation.
- Learn about the methodology used in the walkthrough, the techniques are less important.
- When you’re advancing through the labs, write a simple bash or python script to perform (a part of) the enumeration. This will improve your scripting skills and experience but also save time.
- Try to root as many machines as possible because all boxes contribute to your experience and learning process.
- Extend your lab time if necessary and possible when you have left a lot of boxes untouched at the end.
- You can install your own vulnerable machines for practising or download them elsewhere.
After going through the courseware and finishing the bigger part of the labs, you might be ready for the horrific 24 hours OSCP certification exam. At the scheduled exam date you will receive new VPN credentials to access the exam network. The exam network consists of 5 machines with a number of points ranging from 10 – 25 in the networks I got. You will need a total of 70 points to pass the exam. Personally I have taken 2 attempts to pass the examination and obtain the OSCP certification.
The most important factors to consider prior to the exam are:
- Time management
- Avoiding rabbit holes
- Make a battle plan which you will stick to during the full length of the exam
OSCP Exam #1
On the first attempt I started at 11 AM and did not have a solid plan and just ran into the exam. In the first 2 hours I managed to get root on the first box. In the 6 hours to follow I rooted the second box. From that moment on everything went downwards and I got lost for hours in what later seemed to be a rabbit hole. At that moment it was impossible to get out of it, also because the tiredness kicked in after 16 hours making it hard to remain focused. I stopped at 3 AM and slept till 08:00.
I got back to the exam at 08:30 and only had 2 hours and 45 minutes left. In that period I got a limited shell on the box I was stuck at the night before and almost rooted a second one but it was too late. The VPN died and I knew I had failed the exam. I have learned a lot from this first failed attempt. I have learned how important time management is and that you really need a strategy to avoid rabbit holes and lose too much time. At the end of this article I will present you with a list of points to consider which really helped me to avoid rabbit holes. I found that avoiding rabbit holes is key in passing the exam on the second attempt.
OSCP Exam #2
The second attempt I’ve started the exam at 3 PM and planned to work till 3 AM and then sleep till early morning. This way I had 2 ‘fresh’ starts for the exam to utilize more productive hours. From the first attempt I knew that exam hours 12 to 16 are worthless. Personally I become too tired and lose too much focus after 12 hours. I also started with the harder exam machines this time. Those are the ones that give 20 or 25 points. In the first 12 hours of the exam of the I managed to get 55 points. I went to sleep at about 5 AM and woke up to continue the exam at 8 AM.
In the hours to follow I managed to get another 40 points. I had a total of 90 points and I knew I had passed the exam. For one box I did not manage to escalate my privilege level to root, but I was fine with that.
OSCP exam report
In the next 24 hours you will be writing a penetration test exam report. The exam manual, which you get at the start of the exam, explains clearly what is required in the report. Make sure you collect this information during the exam in the required format. Prior experience with report writing (lab report for example) will help you a lot at this point. After submitting the lab report I got the following e-mail about 2 days later from Offensive security:
Tips before the OSCP exam
The following tips will help you before the OSCP exam:
- Make a battle plan before the exam which at least contains the following:
- Breaks with time, including dinner, lunch and breakfast.
- Determine when and for how long you will sleep. Yes, you need to sleep in 24 hours.
- How long to work on a single box. Personally I suggest to switch to another box when you are stuck on a box for more than 2 hours.
- Which enumeration to perform on every step of the penetration test (at the start and on a low privileged shell).
- Finish your lab report for 5 extra points and optionally the course exercises for an additional 5 points. You might need them to reach the 70 points.
- Rest before the exam, at least a day is what I would recommend. A fresh and sharp brain at the start of the exam is more important than a few more details covered.
- You need to write a penetration test report after the exam. Make sure you know how to write it so you know what information to collect during the exam. The lab report is a great practice for this, use it to learn how to document properly.
Tips during the OSCP exam
The following tip are helpful during the OSCP exam:
- Personally I would suggest to not work longer than 12 hours on the exam without sleep or at least a longer period of rest to cool down your brains. Pick a timeframe for the exam which supports this and give you 2 fresh starts with enough time.
- Take frequent breaks during the exam.
- Recognize rabbit holes! PWK/OSCP is not an advanced penetration testing course and 24 hours is not enough time to write a custom privilege escalation exploit from scratch. Nor can you perform advanced blind SQL injection attacks which aren’t documented anywhere in such a short timeframe. Summarized: When it is too difficult, it is probably a rabbit hole.
- Use the last 15-30 minutes of the exam to check if you collected all required information before your VPN connection dies. It is easy to miss important information in the state of mind you will be in after 24 exam hours. Note: the VPN connection dies after 23 hours and 45 minutes! Schedule this check on time!
Conclusion and resources
I want to finished this article with saying that Offensive Security did a great job on this course. It is a very challenging course and the hard exam really gives value to this certificate. Many people say that PWK/OSCP is not an entry course and question themselves (and others) when to engage OSCP. Personally I think these people are just partly right, PWK is not entry level but it’s not advanced either. More important is the time you can spend on the course. If you are able to consume a lot of information in a short period of time and your devotion (try harder!). It is always a good thing to prepare yourself for a course like this. I would like to recommend the following books, tutorials and resources:
The Virtual Hacking Labs – Online Penetration Testing Lab
Practice on vulnerable machine in the online Penetration Testing Labs: The Virtual Hacking Labs
General penetration testing
Web application hacking
The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto.
Any or all of these hacking tutorials:
- Metasploitable 2 enumeration
- Metasploitable 2 vulnerability assessment
- Exploiting VSFTPD v2.3.4 on Metasploitable 2
- Hacking Unreal IRCd 126.96.36.199 on Metasploitable 2
- Hacking dRuby RMI Server 1.8
- Buffer overflow explained: The basics
- Hacking with Netcat part 2: Bind and reverse shells
- Mingw-w64: How to compile Windows exploits on Kali Linux
The following links are very helpful during the PWK course:
More links and books will be added over time.
Help during the OSCP course
Earlier in this OSCP course review I mentioned that it is a good thing to ask other people to help. Especially when you’re stuck on something or when you cannot find the information that you need. I’d be happy to help you answer your questions or give advice and such. But don’t contact me and ask for the PWK courseware, for help during the exam or anything else that will ruin your or anyone else’s learning experience. For simple questions please use the comment functionality below the article so anyone can benefit from the response given. Also note that Offensive Security admins are available on the IRC channel to help you when you get stuck (and sometimes give you a hint instead of try harder).