As you may have noticed – it went quiet on my blog in the last few weeks. I was heavily working on the challenging Offensive-Security Labs to obtain my Offensive-Security Certified Professional (OSCP) certification. AND ! Yesterday! I received the mail from Offensive-Security that I have successfully completed all requirements for the OSCP certification! I’m really happy about that because it opens a new door in my career 🙂 ! cert-logo-oscp
But what’s so special about this certification ?

A quote from the Offensive-Security website summarizes it best:

The OSCP certification, in my opinion, proves that it’s holder is able to identify vulnerabilities, create and modify exploit code, exploit hosts, and successfully preform tasks on the compromised systems over various operating systems

After completing my eCPPT exam, which is more an entry-level certification to web-application security, I decided to take the OSCP course, because there are a lot of good and interesting reviews about its strengths over at ethicalhacker.net. Ok, I have to admit, I’ve not been 100% sure if I really should take this course – even at the point while clicking on “Submit payment” ;-), because there are a lot of reviews out there which say that it is real pain! (More about this later).

Basically the OSCP Course (well officially it’s called PWB – Pentesting with Backtrack) is completely different to the eCPPT. It’s a “real” network penetration testing course where you start with information gathering and end up in local privilege escalation to take over root or SYSTEM rights. An overview about the course syllabus can be found here.

Since most of the web-vector attack techniques have already been covered by my eCPPT work, I focused more on other parts of the course, like:

  • Manually modifying existing exploits under Linux and Windows – Yes, I do not mean Metasploit!
  • Transferring files to target systems – ..there are ways I did not even think about!
  • Client – side attacks – Most common these days – Praise JavaScript 😀
  • “Port Fun” – Redirecting and Tunneling traffic through network segments – Sometimes common firewalls are just useless when there are no outgoing rules…

And the most interesting =
oscp-esc
Privilege Escalation – The “GOT ROOT” messages feels like turning Godmode on 😉 !!!

The Courseware!

A lot! About 330 pages of pure written PDF and endless hours of video material. Great stuff – nothing more to say, but no pain until here.

The Labs!

There are a lot of lab machines which reside in different firewalled network – segements, like they are common in most real network-scenarios, which I daily encounter at my customer sites.

It started quite easy with some older vulnerabilities, that directly resulted in SYSTEM level access. But it was getting harder. I started with pwning the first machines – in only a few hours I got around 30% of the “public” network segment. I thought: “Well if this is the ongoing niveau, I should cancel this course, try to get my money back, and try to comment every review I’ve read so far.

But it was still getting harder – even in the public segment. The variety of vulnerabilities grew and most of them did only result in a limited shell. I needed to think with increased regularity about the Offensive – Security motto “Try Harder™”. Until I got to a box called “PAIN”. It was quite easy to get shell access to this machine, but then the problems start. I did not find anything to further escalate my privileges. Nothing. I searched for about 2 days and found….nothing – I felt like I really suck and I asked myself for one moment if this is the right way in my career 😀 !

Until the point I started to think in a different way – a more linux-like way – about the more common things on a linux system (Sorry I don’t want to disclose too many details, because I do not want to destroy your fun) and found the key to the /root/ directory!! The first point where I felt like working with Godmode turned on 🙂

I went on and I ended in having all hosts pwned except one called: “SUFFERENCE”. The next generation of pain. I was working for nearly 3 days on this box but did not find a way to the root – but wait…after my exam I got an idea about how to crack it…

The other network segments were quite funny too…In the end I was able to pwn 45 out of 49 hosts to SYSTEM / Root – Level, a great result in my opinion 🙂

The PAIN !

Although I have pwned 45 hosts, I did not feel – somehow – ready for the final exam – challenge. But unfortunately my labtime had come to an end. The final exam challenge is a Capture-The-Flag (CTF) style real-world scenario, which you need to exploit in order to obtain your certification. You’ve got 24 hours to complete the CTF and another 24 hours to write and hand over the documentation.

OK, I have scheduled my CTF on a saturday afternoon, and had a lot of sleep before to be ready for what was coming. I received the mail with my instuctions and was a bit astonished. Less machines then I had expected and one special challenge. Pwning a host gives you a different number of points (all together: 100 points), and you need at least 70 points to pass. Because of the small number of hosts, I started to think: OK – that’s going to be challenging – and it was. The usage of Metasploit is very, very limited, which is great in my opinion, because using semi-automated tools for penetration testing purposes do not show that you have understood what you are doing.

My new strategy: Pwn machines to get the minimum number of points 🙂 I have completed the special challenge, which was by the way a really great idea and I completed another host quite quickly. This meant 50 points. Great – I thought.

But the PAIN started to return at this point. I was working on the next host – without seeing any results…for hours!! 8 hours passed by, and I started to get nervous. But for good: I took another Clubmate and left my flat to re-organize my thoughts. While pwning my Clubmate I’ve been hit by another idea. Back at the CTF, I had a deeper look at a special configuration condition on the host, which attracted my attention. AND! FINALLY! I was able to pwn the host to ROOT. That resulted in the minimum amount of points to pass. I decided to go to bed at this point. That was a good decision. The next monring I was able to pwn all other systems to complete the certification with 100 of 100 points 🙂

The documentation part wasn’t a big problem, since it was perfectly teached in the eCPPT course and therefore easy to do for me (my documentation: 291 pages including appendix)

Who should take this course and who not?

Although it’s one of the more expensive courses – it’s a very good investment into your penetration testing career. But it is not an entry-level course! If you’re new to networking or security in general – this course could hit you to the ground. The keypoints to survive this challenge:

  1. Information gathering! You need a moderate understanding of network and system concepts – especially on linux based systems.
  2. Documentation. You have to submit a fully detailed documentation about your course AND exam findings.
  3. Without ever having coded/scripted one line by yourself, you’re completely lost.

After this awesome challenge, I decided to take the advanced OSCE…next year 🙂

OSCP Course and Exam Review
Tagged on:                 

34 thoughts on “OSCP Course and Exam Review

  • May 2, 2013 at 5:19 am
    Permalink

    Congrats! If you owned that many machines, you were definitely prepared for the examination. My sincerest good luck on the OSCE course. Your in for one hell of a ride!

    Reply
  • May 16, 2013 at 12:44 pm
    Permalink

    Congs Man,
    this was the best review i have read since g0tmi1k review .
    how long the lab was 30,60,90 Days .
    what material you advice me to start with before starting . or start with eLearnsecurity then jump directly to oscp.
    thanks again again again

    Reply
    • May 17, 2013 at 7:56 am
      Permalink

      Thanks!

      @Eth!cal:
      I took the 30 days first, but extended my labtime two times by another 30 days – so 90 days all in all. The lab is really challenging, so if you have challenging job too, you’d better take more labtime.

      Where to start is difficult to answer since it’s always different and depends on your knowledge. If you’re new to the whole penetration testing thing, you’d better start with the eCPPT, CEH or Security+. If you’ve already experience then take the OSCP – basic linux and also basic scripting/coding is a must-have.

      Regards.

      Reply
  • May 21, 2013 at 8:05 pm
    Permalink

    i started the course and i just wanted to ask question to not waste time. are there machines connected together so that compromising some of them depends on some other machines in the lab? because when iam stuck in one machine, i think maybe i need to move to others and somehow will help me in compromising this one. and i dont want to waste time
    thank you in advance,

    Reply
    • May 21, 2013 at 8:40 pm
      Permalink

      Yes!! There are some hosts which you can only pwn if you have already access to another one and/or found something interesting somehwere on a pwned host. Keep your eyes open 😉

      Regards.

      Reply
  • June 13, 2013 at 12:08 am
    Permalink

    Quick question about the exam, I’ve heard it mentioned that metasploit cannot be used in the exam. Is that in reference to the automated fuzzers/exploits? I’ve built a couple of fuzzers and exploits in ruby that leverages the metasploit framework so I’m wondering if I need to rewrite them in python.
    Thoughts?

    Reply
    • June 13, 2013 at 10:18 pm
      Permalink

      Metasploit can be used in the final exam, but only in a very limited way and this relates to the usage of the exploits included in the framework. I’m not sure if you’re allowed to use parts of the framework for your exam challenge in your own code – at least I did not need it this way.
      The best way to clarify the scope of usage is to ask your question in their official irc channel or via mail.

      Reply
  • November 3, 2013 at 11:02 pm
    Permalink

    Nice Review, and interesting read, i have some questions, if you could please answer them?

    My Questions: in those 45 machines that you owned, in how many machines you wrote your own exploit to get root?

    did you r00ted from from public exploits too?

    How many of them were local root  vulnerabilities?

    How many of them were remote root vulnerabilities?

    I know alot of questions, i am just curious. I’ll be glad if you respond

    Thanks

     

    Regards
    Haider Mahmood
    http://securityundefined.com

     

    Reply
    • November 4, 2013 at 8:09 pm
      Permalink

      Hello Haider,

      sure – no problem:

      My Questions: in those 45 machines that you owned, in how many machines you wrote your own exploit to get root?

      What do you mean by “own” exploit ? There is no need to write your own exploits from scratch. But you need to have a solid understanding of how exploits work, because you need to modify them in several cases!

      did you r00ted from from public exploits too?

      Yes – some taken from Exploit-DB, and some from Metasploit. I did not use any private exploits, because you have to document your findings in detail.

      How many of them were local root  vulnerabilities?

      The most. I guess around 80% were local root vulnerabilities or configuration mistakes that led to root access.

      How many of them were remote root vulnerabilities?

      The rest 😉 Only a few directly led to root or SYSTEM.

      If there are any further questions, do not hesitate to ask!

       

      Regards.

      Reply
  • November 12, 2013 at 1:57 pm
    Permalink

    Hi Mr.Tux,

    Its been long time, I was occupied in non security testing area. Glad you have passed PWB. I used think sometime back, since you report more live vulnerabilities in  “inshell”, PWB would be kind of piece of cake and you have proved it. Good luck in your next venture….

    Catch you later

    Reply
  • December 16, 2013 at 3:26 pm
    Permalink

    Did the OSCP course have you use BackTrack or Kali?

    Reply
    • December 17, 2013 at 1:09 pm
      Permalink

      I’ve used Kali, but at least this doesn’t really matter because the tools you’ll use are the same on both distributions.

      Reply
  • September 14, 2014 at 4:56 am
    Permalink

    I know this post is a bit old but just in case you still check.  Does this course actually “teach” you ? Or is it more of a “spend all day teaching yourself via lots of google”?

    thank you for any response.

    Reply
    • September 14, 2014 at 4:47 pm
      Permalink

      Yes it does! The course is delivered with a lot of video based training material and supporting PDF files, which are used to build a fundamental knowledge. But depending on your experience, I recommend to do additional research on some topics to improve your testing methodology.

      Reply
      • September 14, 2014 at 10:50 pm
        Permalink

        Thank you for the reply.  I have decent skills now, if anything I lack programming skills but have years of exp in sys/network admin etc and have the Security+ and have been playing with BackTracka and now Kali.   I was just wondering if this course or the CPTE cert.

        Reply
    • September 15, 2014 at 4:24 am
      Permalink

      I guess I’m wondering.. is the eCPPT worth taking or the mile2 CPTE course, or the OSCP? if you had to pick 1 of the 3 and lets assumed you have enough prerequisite knowledge for any of them which Cert would say is best in your opinion?

       

      Reply
      • September 15, 2014 at 10:05 pm
        Permalink

        I don’t know the mile2 CPTE course, so I’m not able to compare them in detail, but if I had to choose between the eCPPT and the OSCP, I would always take the OSCP, because I like the pain 😉

        Reply
        • September 15, 2014 at 10:57 pm
          Permalink

          Haha, like the pain, good answer.  I was thinking the same based on the info I’m gathering. I’m just not sure I have the programming skills that it seems the OSCP seems to need.  If you had to pick one language to learn that would get you by for the OSCP what would you recommend? I’m thinking python for ease of learning and usefulness?

           

          Thanks for all your help and advice.

           

          Reply
          • September 16, 2014 at 5:56 pm
            Permalink

            You need at least some Python and Bash scripting plus very basic C/C++ skills, because there might be situations where you have to fix or at least compile e.g. existing kernel based exploits.

          • September 17, 2014 at 3:39 am
            Permalink

            Ruby work? I noticed the eCPPT course has an entire module dedicated to Ruby.. was perhaps thinking of that course as a primer to OSCP.

          • September 17, 2014 at 8:23 pm
            Permalink

            Yes, you may handle the different tasks using Python or any other scripting language you like. Have a look over at ethicalhacker.net, there are a lot of other nice reviews!

  • March 10, 2015 at 8:39 pm
    Permalink

    Hi,

    Where can i find some good study matrierals for oscp? is there any videos from cbtnuggets or train signal? unable to find any good study materials.

    Reply
    • March 11, 2015 at 7:48 pm
      Permalink

      There is no need for additional study material, because the course already includes really good study material. All you need is a good technical background and a bit of creativity.
      But if you’re new to the whole Pentesting thingy, then you should probably consider taking another more basic training first.

      Reply
  • April 3, 2015 at 5:19 pm
    Permalink

    Great review of the OSCP course and examination. I am currently preparing myself to take this exam this coming fall. I work as a sysadmin by day and play around with security at night as a hobby. I’ve already obtained Security+ and CEHv8. I’m currently enrolled in the eLearnSecurity PTSv3 course. I’m also taking the SecurityTube Python course. I’ve also started going though the OSCP PWK course syllabus making notes and bullet points for each topic. I am hoping this is good enough preperation for OSCP. I think my weak area is in taking exploits, modifying them, recompling it and using it againist a target. Any good training material out there that you know of that covers this in detail? Also, do you know of any good paid virtual labs out there that simulate the OSCP labs? Reason being, I’d like to get some hands on experience with rooting boxes before doing it for the first time in the course labs.

     

    Thanks!

    Reply
    • April 3, 2015 at 5:38 pm
      Permalink

      Any good training material out there that you know of that covers this in detail?

      There are a couple of sources covering exploitations techniques, which you might need for the OSCP like corelan.be.

      Also, do you know of any good paid virtual labs out there that simulate the OSCP labs?

      You do not need to purchase any additional third-party labs, because you will get access to the OSCP lab network, and if you’re running out of time, you can easily extend it.

      Reason being, I’d like to get some hands on experience with rooting boxes before doing it for the first time in the course labs.

      You should have a look at vulnhub.com too – they’re hosting really good challenges.

      Reply
  • May 14, 2015 at 8:47 pm
    Permalink

    I just retired from the military (22 years) and have a BS and MS in computer systems. I do not have any real world experience but I want to get into pen testing. I have my sec+ and took a class on CEH, but that is a large gap between the two. Where should I start? What should I do. Nobody will hire me into the IT security field because I have certs but no experience. Someone please guide me.

    Reply
    • May 17, 2015 at 1:02 pm
      Permalink

      If you have basic pentesting skills or a wide experience in computer systems and networks you could try to apply for a junior pentesting position. If you are able to present yourself and your creative attitude (which is needed), then it shouldn’t be a problem to get into this field.

      You should also think about taking a more practical course (in contrast to Sec+ and CEH), which gives you a hands-on introduction into pentesting methodologies. Have a look at the courses offered by eLearnSecurity – I think the OSCP is a bit too much at the moment.

      Reply
  • June 13, 2015 at 1:48 pm
    Permalink

    I hope you still check this thread…
    I’ve done some pen testing on a basic level using backtrack r5. However that was all click and test if it works, reading on vulnerabilities and how it works then choosing the right payload.

    I have minimal scripting skills, how extensive should my scripting skills be? To what extent? Do the course cover scripting at all? I am looking forwars to your reply.

    Reply
    • June 14, 2015 at 10:37 am
      Permalink

      Scripting itself is not covered by the OSCP courseware! So it is assumed that you have basic scripting skills at least in Bash and a second language of your choice. With these you should be able to quickly create short scripts in bash, modify existing exploit-codes and one part is about creating an own exploit.

      Reply
  • Pingback: OSCP Review by Offsec Students | fl3xu5' blog

  • December 4, 2016 at 10:48 am
    Permalink

    I am CEH certified, working as network security engineer. Having good troubleshooting skills and basic knowledge of shell and python scripting.

    Shall I go for the course to work as Pentest or Security Analyst?

    Please advise.

    Reply
    • December 6, 2016 at 12:42 pm
      Permalink

      Sounds like a good technical foundation to start with the OSCP.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.