This is a continuation of my previous post. I’ve had the OSCP now since September of 2015 and I’ve had a lot of time to think about how I got there, what I did wrong when working with the lab and how I should of gotten this certification years ago. My original review is here http://disillusion.us/?p=439 and it’s an incoherent mess I wrote immediately after attempting the exam.
So like I was going on about in my last post, I finish the course portion of the OSCP, the PWK. I’m forgetting how long I had between scheduling my exam and actually taking it, but I’ll say about a week. Some light reading was applied, mostly Hacker Playbook Version 1, but I didn’t do much else prep work for the exam. I’m not sure if it was a mistake to not do extra prep work or not.
Exam Attempt 1
The guidelines come in and I get some exposure about how this exam is going to work, what it takes to pass and any restrictions I’ll have. I’m not certain how much I can go into, but you only get to use the full compliment of Metasploit once. Having read some reviews, what I basically did was plan my day out ahead of time. I had 5 servers I had to exploit and escalate privileges, so I spent time breaking my day up into 1 hour stretches. This was a huge mistake… I didn’t give it enough flexibility or really cater to the way I work. It was very erratic, an hour would come close to ending and I’d be all over the place trying to get whatever I was doing done in a manic fervor.
Ultimately, in my 24 hours I only compromised 2 machines. I did learn a lot about the exam lab itself and the process of taking the exam. However, this attempt killed my motivation, I considered going back to the labs to try more time and maybe giving my skills more time to develop before going back to the exam. My goal was to get OSCP before DEF CON 24 and I felt like a huge failure. A much younger friend of mine just happened to take the exam the same day as me and I was unfairly comparing myself to his situation. He just simply had more time to dedicate than I did. I also didn’t plan well for meals, but I had plenty of caffeine to guzzle down. That was a problem, abusing caffeine turned me super manic and whipped me up into a frenzy.
Set your expectations at a reasonable height. You have a huge chance at failing the your first attempt. Use this attempt as recon and try to get as far as you can. I’ll go into that shortly. Stock up on supplies, don’t abuse caffeine unless you need to and make sure to plan breaks.
I was so far from getting the required points to pass that I didn’t even bother writing up a report, I just slept.
In a certain sense, I didn’t actually do much. I had met the author for Hacker Playbook and nabbed a copy of Version 2 while I was working at the Hacker Warehouse booth at DEF CON 24, who gave me a great pep talk. Mostly that’s what it was, bitching sessions followed by encouragement, pep talks and good natured ribbing about my failing my first attempt from OSCP holders. I read the HP v2 book and started consuming every OSCP review I could find. (believe it or not, these guys give up a lot of information) and scheduled my second attempt. There was about a month’s gap between both attempts.
Exam Attempt 2
I got myself into a good head space the week before the exam, took plenty of leisure time and spent time with my fiancee. The second time around was easier, I was calm, I had plenty of food and I slept much better the night before. I went into the start time of the exam feeling much calmer about what I was about to do. In the first hour, I landed one of the harder boxes, followed quickly by two more within the first three hours, then I had a much more difficult time going forward. Having done it once already, the 24 hour time limit wasn’t that intimidating. Every machine is vulnerable in some way, which is contrary to what I’m learning doing this professionally now, so it wasn’t an impossible task in my head anymore.
The thing I learned well from the last attempt was to take detailed notes. I made sure to take pen and paper notes of everything I was doing (I didn’t want to deal with cumbersome note taking software and lose my place) so that I could move back a step if something didn’t work, or repeat a whole chain of actions when I got it right. My methodology for documentation was to successfully exploit a machine while writing every step down and repeating that action again this time writing it up in a a word processor while taking screenshots. Before I moved on to another machine I had pretty much written up that finding for the report. I didn’t plan on that, it kind of happened on a whim, but it was the best thing I could have done. The following 24 hours for reporting I spent a lot of time sleeping and relaxing with minimal report writing/polishing.
After hour 16 I had finally exploited and escalated the requisite machines to pass the exam, so I spent another hour or two going after the other one and eventually went to bed.
From a technical standpoint, I don’t have much advice to offer here, if you’ve made it to the exam, you’ll have everything you need to know to pass it. The labs are way more intense in some respects than the exam machines, but the pressure of the time constraints and the perceived difficulty of the exam is what gets you. The only piece of technical advice I can give you is enumerate the hell out of everything. Before you send your first malicious packet, you really need to learn everything you can about those machines, but you’ll likely have learned that in the lab.
After submitting my exam report, it was maybe 24 hours before I got my results. I passed and that made me super happy. My certificate came much later (it came from Israel) actually signed by Muts. In talking to newer OSCP holders, apparently they also get cards now, which would of been nice to have, but not that big of a deal.
Ultimately this is a great course for anyone of any skill level. Personally I think those that would benefit from it the most would be folks in the beginning of their offensive security career, but I learned quite a bit taking it. Two other contributors to the blog are currently taking it, one a beginner to this industry in general and the other who is on par with me skill-wise, but has been working as a pentester longer. I’m soothing a lot of anxieties for both of them. It’s a tough exam, don’t get me wrong, but it’s not as difficult as you make it out to be in your own head. Talk to people who have actually passed the exam and you’ll hear similar things to what I’m saying. Hearing about it third hand from some guy at a CitySec meetup who’s cousin’s brother’s uncle took it is not helpful. (“BRO I HEARD IT WAS SO HARD”) Learning that I was building it up in my head was basically all I needed to pass.