Finally OSCP – May the force be with you!

Since I’ve passed my OSCP exam last week in my 1st attempt, I thought it’d good to share my experiences and help others who ask for a roadmap. I’ll try to include as many resources as I can:

My Background:

I’ve worked as a web pentester for one year. Then I’ve decided to learn other areas of Security also, so started to work on a large company as a Security Analyst. Basically, I’m working on Defensive Security in daylight, studying on Offensive Security stuff at nights. (Sleep? Who needs it 😛 )

How To Decide to Take OSCP:

I already got my CEH certificate when I start working as a pentester, but it never satisfied me since there is not much hands-on skills requirement to pass CEH. I wanted to show the world that I can think out of the box and has gift to see and exploit vulnerabilities. So I’ve decided to take OSCP.

OSCP Journey:

I’ve started my journey on May 2018. I’ve planned the things to do for each month and followed my plan almost 100%.I’ve studied on Linux, Enumeration basics, Metasploit during May and June 2018Since I was intimidated by Buffer Overflow, I’ve decided to learn as much as I can on the subject before the lab. I’ve written an academic paper on Buffer Overflow and had a basic understanding on the topic. That took 2 months of me (July, August 2018) (I’ll provide the paper on my blog and LinkedIn later)

Vulnhub Machines:

I’ve solved many vulnerable machines from Vulnhub before the lab. (September, October, November – [first 10 days]) I’ve shared some of the walkthroughs on my blog already. But basically, I’ve pwned the followings:

OSCP Similar:

  • Kioptrix: Level 1 (#1)
  • Kioptrix: Level 1.1 (#2)
  • Kioptrix: Level 1.2 (#3)
  • Kioptrix: Level 1.3 (#4)
  • Kioptrix: 2014
  • FristiLeaks 1.3
  • Stapler 1
  • VulnOS 2
  • SickOs 1.2
  • Brainpan 1
  • HackLAB: Vulnix
  • /dev/random: scream
  • pWnOS 2.0
  • SkyTower 1
  • Mr-Robot 1
  • PwnLab
  • Metasploitable 1-2
  • Lin.Security
  • Temple of Doom
  • IMF
  • Moria
  • Tommy Boy
  • Wallaby’s Nightmare
  • Billy Madison
  • Tr0ll1
  • Tr0ll2
  • Exploit ExercisesProtostar
  • Nebula

OSCP Lab (November 11 – January 10)

That was the most beautiful times of my life. I found myself in a pool that I have lots of satisfaction, pain, sufferance,and love 😀 I was crazy before the lab, and now my craziness have a meaning. 🙂

I’ve chosen 60 days options for the lab.I’ve solved 40 machines on lab, including Pain machine and completed all the exercises.

The total hours I’ve spent are as below:

OSCPSMTWTFStWeekly HoursTotal Hours
11.11-17.11112.52.52.543.58.534.534.5
18.11-24.1173.532.56373266.5
25.11-1.126.522222.57.524.591
2.12-8.12522.52.5427.525.5116.5
9.12-15.12553332829145.5
16.12-22.1232.52.52.52.52823168.5
23.12-29.127330.52.53827195.5
30.12-05.0157333.531034.5230
06.01-10.018.53.54.54.521251
13.01-19.0115.01 Exam

In the last 15 days, I decided that I’ll use my time to pwn every single machine I’ve pwned before one more time so that I can be sure of the skills I’ve earned so far. And I’ve pwned 40 machines again in the last 15 days.

Exam Date:

I’ve scheduled my exam as 5 days after my lab time finished. I didn’t wanna get rusty with having a long break between lab and the exam.

Exam:

One needs 70 points to pass the exam.I’ve had a good, relaxing sleep before the exam. I’ve scheduled it to 04.00 am, 15th of January. This way, I’ve dealt with nasty parts of the exam before other human beings wake up to the new day.I’ve started with 25 points Buffer Overflow machine and pwn the machine in the first 1 hour. I’ve taken all screenshots and write a pseudo-report for the first machine on OneNote. So that I felt safe and continue as below:

  • 25 points Buffer Overflow – 04.00-05.00
  • All scans + Enumerations for the 4 boxes – 05.00-06.00
  • 20 points Low Shell – 06.00  – 07.00
  • 25 points Low Shell – 07.00 – 08.00
  • 25 points PrivEsc – 08.00 – 15.30
  • 20 points Privesc – 15.30 – 17.30

So I had enough points after approximately 13 hours. I took only bathroom breaks, didn’t have lunch :/, and drunk 2.5 liters of Coke Zero. I didn’t die, so that strategy worked on me. But it depends on the person and the habits. I generally lose track of time when I study and I can handle non-stop studying for hours normally, so it didn’t kill me for studying 13 hours non-stop. After that, I knew that I’ve passed the exam with 70 points, (I’ve also written the lab report for bonus of 5 points in case I screw on the exam and need 5 more points) and also written the exam report for the other 5 bonus points (if you write your exam report in the first 24 hours, offsec gives +5 bonus points.)

Results:

After 2 days , I’ve got the most beautiful e-mail of my life:

OSCP is a great journey for one to discover himself/herself. You’ll realize your skills, your patience and definitely your boundaries. If you dedicate yourself to the success, you’ll get it in the end no matter how painful it will be. You become an OSCP in the end, I think anything is worthy on that road!As a strong, independent woman working in this industry, I found a new beautiful, strong and badass self in me during my OSCP journey. I definitely suggest you to take OSCP if you get thrilled like me when you see the following:

or this 🙂

Most Important Notes:

  • Ace your Buffer Overflow skills. Do the buffer overflow exercises on the book and make sure you can apply all the steps needed.
  • Privilege Escalation is one of the most important parts I think. I’ve always forced myself to do privilege escalations manually (especially on Windows)
  • Use Terminator, thank me later 🙂
  • Don’t give up! Ever!

Thank you Offensive Security! See you on my next certification – OSWP and then all the others you provide 🙂

Most used resources during the lab:

Privilege Escalation:

http://www.fuzzysecurity.com/tutorials/16.html

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Reverse Shell:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

My own resources I’ve used during the exam:

https://github.com/areyou1or0/OSCP

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.