Offensive Security PWB (OSCP) – A Review

Let’s start off on the right foot shall we?  I don’t want to be rude but – I am a computer geek, my writing skills are not so great.  So if you don’t like the way I write just quit reading.  So let’s get on with the story shall we?

 

2013 was just starting and every year I have the opportunity to request training from my employer so I went out in search for a challenge.  In 2012 I received the CISSP certification and after reading all the horror stories about the exam on the internet I was not impressed.  For someone with a diverse technical background the CISSP was “Mickey Mouse” and pretty much a cake walk.  Don’t get me wrong I am quite proud to call myself a CISSP but I wanted a challenge … something that didn’t just take time and effort, but something that would drag my mind through hell.  I found this challenge in the form of the Offensive Security PWB course and OSCP challenge.

 

In The Beginning

 

Once I decided that the PWB course was my training for the year I had to research the training, Offensive Security, and write a proposal so that the funds for the course could be approved.  Offensive Security was no stranger to me, I have been using BackTrack since the days of version 2 and it has been my Linux distro of choice since for pentesting (Currently Kali has been released).  Any group that could put out a distribution like BackTrack definitely could teach me something.

 

The PWB course on the other hand was more difficult to put into terms for management.  Going through review after review of the training and challenge I found terms like “sleep deprived”, “frustrated”, and “hellish” repeated over and over again.  I thought they were all over exaggerating and it was the same story as the CISSP.  Wow was I ever wrong.

 

So the proposal was written, funds were approved, and I wasted no time to sign right up and get started.  The registration and payment process I remember was quite odd and did not flow very well.  Offensive Security does not use fancy web pages for account creation, management, and credit card processing.  Why?  Obvious I thought, why expose that type of thing to the internet with a static URL if you don’t need to.  I thought that it was a very smart move, but still I was frustrated a bit going through the process.

 

Then the material showed up.  Excitement rushed through me and I dug in right away.  The table of contents in the pdf gave me the impression that it wasn’t going to be that hard.  I know my programing skills are far from good, but hey how hard could this really be?

 

I read through the lab guide and watched all the videos.  The quality in the material was definitely there.  For the cost of the course at this point I was thinking that the labs had to be a joke.  I pretty much already got my money worth out of the training.  Considering how other similar courses cost 2 times as much or even more.

 

The Lab

 

Back to the beginning of the guide I went to start working through the exercises, attacking boxes, and recording findings.  The VPN to the lab is amazing, the high speeds and reliability couldn’t have been better.  However other students reverting boxes on you when you’re just about to crack a system was quite frustrating.

 

My first sweep of the lab … This can’t be right.  Ping sweep again.   Holly crap, this lab is huge! The first part of the lab had 35 machines waiting to be attacked!  And this was only 1 of 4 networks in the lab.  I couldn’t believe it, I definitely had my work cut out for me.  Later on I found that the other networks were smaller consisting of 4 – 10 machines each.  Offensive Security definitely did an outstanding job creating this hacking utopia.

 

Boxes started to fall left and right.  I am pretty good at this I thought.  Metasploit here, MS06-086 there, and a quick meterpreter “getsystem” (my biggest mistake and regret).  Easy.  Maybe this isn’t going to be such a challenge.  Well that was the beginning, the low hanging fruit quickly fell and the frustration set in.  Some boxes just were not going down without a fight.  2 days passed without rooting another box … then another 3 days.  What am I doing wrong I thought.  I needed help.

 

IRC (haven’t used it in so long but it was good to be back) communication to Offensive Security staff is provided with the PWB course so I thought that now would be a great time to try it out.  Needless to say you know where this is going if this isn’t the first PWB review you’ve read.

 

Me > ping op

[some op] > pong Me

**go into private messaging**

Me > am I doing something wrong?  I have tried every exploit on [insert any machine name here] and nothing is working.  Can you help me?

[some op] > try harder

 

WTF!? really, no shit.  Well if that aint just a kick in the ass.  Makes your frustration level go straight through the roof!  You cave, admit that you need help, you go ask for it and you get “try harder”.  This was the first time I got this response and definitely it was not the last.  Why would “teachers” do this to a person I thought.  Well I learnt through the “try harder” process that it is the best way to learn.  Don’t get me wrong it’s also the most frustrating way to learn.

 

Let’s put it this way.  You want to learn how to do something.  So you go ask your buddy to teach you.  He/she shows you exactly step by step how to accomplish the task.  Great, you know how to do it.  Now don’t perform that task for a year, do you still remember how to do it?  With the “try harder” approach, lessons that you learn through frustration, tears, and pure agony stay with you.  I will NEVER forget the lessons that I learnt through Bob, Carrie, and that stupid freakn’ OTRS box.  So basically try harder = An op not trying to piss you off, but helping you to learn the lesson, not the solution.

 

The United Students of Offsec

 

As much as try harder was working for me it didn’t solve all my issues and I was quickly seeing my 90 days of lab time run out.  Who can help me out?  My friends and co-workers either don’t have the time or knowledge to help me.  Crap!  I can foresee myself not completing the lab.  Wait this is 2013, communication globally has never been easier.  Off to Twitter I went and basically sent out a distress signal with some hash tags and prayed for a response.  I also responded to another student’s distress signal.

 

I quickly found out that my feelings of hopelessness were shared amongst others within the PWB community.  Emails started flying back and forth and information was being shared.  Don’t misunderstand this.  We were sharing information not giving answers away.  At this point we were all trained in the “try harder” methodology and were not about to break it.  You work extremely hard to get some boxes and you just aren’t about to give it away.

 

We the students were united in our common goal to take down every single system in the lab.

 

Along with IRC Offensive Security also provides students access to an online forum.  These forums are full of great info.  You know the normal stuff “Bob is laughing at you”, “try harder”, and then the helpful information.  However being regulated by Offensive Security I don’t think that you will find any good hints or solutions to the labs in there.  Again it’s about learning the lesson and not achieving the goal.

 

Lab time was coming to an end and I had my challenge already booked.  Just a few days left and I decided to quit working in the lab and get the lab report completed.  I felt horrible.  I was unable to get Pain, Sufferance, and Jack (in the admin lab).  What a ride, and it wasn’t over yet.  With the challenge that weekend I couldn’t waste time worrying about what I didn’t do.  Over the 90 days I learnt a lot and achieved quite a bit.

 

The Challenge

 

The OSCP challenge is a 24 hour test of what you have learnt.  You are given access to a new lab that the student has no previous knowledge of and they are challenged to gain administrative access to the 5 machines in 24 hours.  Machines are rated at different point levels and points are gained when access is obtained by the student.  To pass the challenge a total of 70 points must be achieved out of a possible 100.  When the 24 hours is up the student then has another 24 hours to write the report in the format of a pentest report and submit it to Offensive Security.  Oh and there is one catch … remember way back at the beginning of this write up my biggest mistake and regret in the lab?  You guessed it.  You can’t use metasploit in the challenge (with some exceptions, it is laid out quite nicely in the challenge package).

 

7:00 AM on Saturday May 4th 2013 I am sitting at my desk waiting for my exam package.  Nothing.  7:05 .. 7:15 still nothing.  What the hell?  Yeah so long story short I screwed up with the time zones and booked my exam for 8:00 AM.  Even worse I did this again scheduling the next exam as well.

 

Finally I get the exam package and I am off to the races.  I had no plan, no schedule, and no idea what I was going to do.  Worst battle plan ever.  So yeah lets sum up this challenge attempt to WTF Why Did I Show Up?

 

I worked from 8AM to midnight straight with no breaks.  Then I gave up.  I was beat, and there was nothing else left in me.  Only one box rooted and 2 limited shells.  I knew right away there was no possible way I passed.  I went home defeated, feeling like crap … a failure.  I whimpered to myself a little before I went to bed and then raised the white surrender flag.  I had no intension to wake up and try any more.

 

Family and friends were needed to pick me up the next day.  Words of encouragement and long talks convinced me that I could do this.  Really this is the challenge that I was originally looking for.  Now I have found that challenge and I am going to quit because it’s not easy?  Hell no.  I wrote up the lame pentest report and sent it off to Offensive Security.  2 days later that dreaded you failed email came.  I knew it was coming but man did it ever hurt.  Someone else out there knows how poorly I did.  Ouch.  Funny thing is I found out that you can’t rebook your challenge until you get that rejection email.  Wonder if I was the first one to try and reschedule before finding out for sure if they failed?

 

I rescheduled for the soonest weekend that fit into my schedule.  I did this for one main reason.  It kept me extremely focused and made me get over the failure very quickly.  Hell who’s got time to feel sorry for themselves when you got to do the challenge again?  Offensive Security is very kind and has priced the challenge retake very low.  Thank you, because this one I had to pay for myself.  Again together with other PWB students a plan was formed, code was compiled and a strategy was formed.

 

Over the next 2-3 weeks many test machines were created, and exploited.  I had figured from other reviews on the internet that I was not going to face the same challenge as the first time so I’d better be ready.

 

  • Linux and Windows Privilege Escalation “Libraries” were built
  • A detailed 24 hour plan was created with structured breaks and machine rotation
    • First 3 hours were reconnaissance
    • Then 1.5 hours per machine in a rotation
    • Whiteboard was prepped to keep notes on important machine details like OS and kernel ver.
    • A list of questions was made to help me think when I got stuck on machines
    • A very detailed procedure was created with commands for recon work.

 

Saturday May 25th, 2013 – 7:00 AM …. I screwed up the time zone thing again.  Wait until 8:00 AM.  The exam package came in.  A huge break the “buffer overflow” box was repeated in this challenge.  This was the only box I rooted in the previous attempt.  Thank the gods I haven’t even started typing and I know I have 25 points.

 

I followed my plan.  Recon work, then break, did the buffer overflow box.  Bingo! 25 points, only 45 more needed and I am only 3 hours in.  Then limited shells on 2 boxes.  When I stopped for my lunch break (away from my computer) I was feeling good.  I should have this done in time to get to bed at a decent time.

 

After my lunch I hit a wall.  Nothing was working and I just couldn’t make progress.  Then at around 5:30 PM I got another box!  That really picked me up and I was starting to feel energized again.  But no more progress was made, I broke my schedule and skipped my dinner break … oh no, things were starting to fall apart and failure was looking like a reality again.

 

10:00 PM I went home I was going to sleep until 2:00 AM and get back at it.  However I was still wide awake at 10:45 PM … I wasn’t going to sleep.  Back to the office I went.  Crazy good luck ensued and by 2:00 AM I had another box and another limited shell.  However that was all that I was to get that night.  6:00 AM I went back home and slept … for a whopping 2 hours when I was woken by a phone call.  So back to the office, I was awake anyway and I needed to write that report.

 

I looked at what I had done and with access to the challenge lab cut off I could do no more work.  Am I gonna make it?  I knew I had a solid amount of points but how does Offensive Security give partial points, and will the report be good enough to get all of the points for the work I did?  I wrote the report and put as much detail in it as I could.  I was even thinking of attaching some kind bribe on the report.  Is there a way to attach a couple hundred “pay pal” bucks to a pdf?  Well either way I packaged it all up ( no bribe included 🙂 ), said a little prayer and hit send.

 

I waited … waited … and even though the reply was in, in just over 24 hours it felt like an eternity.  Then 3 minutes before I was to leave work for the day I got the email.  Holly crap I passed!  My eyes started tearing up a little and I was ecstatic!  I learnt the lessons, I fought a good fight, I didn’t make it by a lot I know … but the point was I made it.  I wanted the challenge, it was presented to me, and I had risen up and proved myself.

 

Once a student has passed the challenge they are given access to a new area in the forum where discussing the challenge is permitted.  I looked up where I fell short immediately.  Go figure the first box I didn’t get … I had that exploit already compiled in my library … what the hell?  So I went back to my notes and some how I didn’t try it.  Another reason to make a detailed attack strategy with a sequence to follow.  The second box I missed well let’s just say I want to kick my own ass for not getting that.  So obvious that I completely ignored it thinking that they wouldn’t make it that easy.   So the interesting thing is the points that I missed was not due to lack of knowledge but because I did not follow a strict procedure to gain access.

 

I now hold the OSCP certification and I hold it above all other certs.  I put in close to 400 hours of my time into this course, broke 2 keyboards in frustration, and almost lost one LCD.  It is not that this cert means more than the others, it is because this cert was truly earned.  I worked hard for this one and in the process learnt a lot about pen testing, exploitation, and myself.  It is an experience that I will never forget.

 

What Students Should Know

 

From my entire experience here is what I wish I found on the net before I started.

 

  • When in the labs use metasploit, but every time you do make sure you can exploit the machine by hand as well
  • Do every extra mile exercise, they really do help you learn the material
  • Play in the Offsec lab’s hacking utopia as long as you can and have fun with it at the same time
  • Reach out to other students.  Peer support is worth so much.  To the guys that supported me thank you!  I couldn’t have done it without you.
  • When working through the lab keep all exploits you have used on your local machine, neatly organized, and leave yourself readme files of where you found the exploit and which systems it will work on
  • Even though enumeration isn’t as fun and exciting as exploitation PRACTICE it and have good notes.  The challenge is pretty much built to fail you if you don’t have good enumeration techniques
  • Go into the challenge with a solid attack strategy
  • Make lists and notes to keep yourself on track in the challenge
  • If you are working from a virtual machine, take snapshots of it … you never know when it will break
  • Don’t update metasploit when connected to the labs … for some reason it seems to really break it.  This happened to myself and one other student that I talked with
  • If you are married or are in a relationship you better hope they are understanding or you will be single by the end.  A big thanks to my wife, family, and friends who helped me through this!

 

What Employers Need To Know

 

  • The OSCP certification is hard to get.
  • If you are looking for a technical security guy/gal or pen tester, look for an OSCP.  If you are looking for a policy writer or manager then get a CISSP.
  • OSCP holders have proven that they have a solid understanding of penetration testing and computer security on multiple platforms
  • From my experience and what I have read an OSCP will be more technical and have a better understanding of penetration testing than a CEH (my opinion only)
  • The OSCP is one of a handful of certifications that is achieved through hands on scenario testing rather than multiple choice.  You can guess a, b, c, or d and have a %25 of getting it right.  Lab scenarios there is no guessing.
  • For the most part I think students that have went through the PWB course and achieved the OSCP certification show dedication and exceptional work ethic (again my opinion only) or they are truly gifted and just breezed through it
  • For everyone who thinks IT Certification is a joke and not worth while – re-evaluate VPN scenario based testing.  I see this as the future testing standard for all IT certifications.

 

So what’s next?  Well that OSCE is looking pretty tough and I still have some hair left to pull out …

All Work on this site is not to be reproduced without written permision from Nick Schroedl.