How I passed the OSCP

Periodically, the topic of training specialists in various fields of information security and obtaining relevant certifications is raised on Habré. Already discussed the preparation and delivery of CISSP, CISA, Security +, CEH \ ECSA. Every two or three weeks we are actively invited to courses from pentestit.

In the same topic, I want to acquaint readers with another training option and share my own experience of passing the Penetration Testing Training with Kali Linux course from Offensive Security with the subsequent passing of the exam.

About Offensive Security

Probably, it is impossible to meet a person who purposefully engaged in practical security and would not hear about this company. Backtrack, Kali Linux, Exploit-Database, Google Hacking Database are the most famous of the projects they promote.
')
The guys are also engaged in pentest and vocational training online or live at the conference sites. Currently, the following areas are offered for study:

• Penetration Testing with Kali Linux (PWK) - OSCP Certification
• Cracking The Perimeter (CTP) - OSCE
• Offensive Security Wireless Attacks (WiFu) - OSWP

There are courses that can only be physically present at the Black Hat USA conference site:

• Advanced Windows Exploitation (AWE) - OSEE
• Advanced Web Attacks and Exploitation (AWAE) - OSWE (previously promised to translate this course online)

I studied at PWK, so that later we will talk about him.

About the course

As the name implies, the course is purely practical and gathers in itself the basic techniques used during security testing. After registration, the student receives video lectures, a pdf-file with materials (in my case, these are 360 ​​pages and several hours of video) and, most importantly, VPN access to an online laboratory. The operation of hosts from the laboratory is generally the most fun part and you can already buy a course just for the sake of it. It also provides all sorts of other buns, such as access to a private forum and the ability to chat with instructors in IRC.

The cost of the course substantially depends on the number of days of access to the laboratory network. At the time of publication, this is:

• $ 800 for 30 days
• 1000 $ for 60 days
• $ 1150 for 90 days

It turns out a little expensive, especially given the current rate.

The documentation contains a fairly wide list of topics that correspond to the generally accepted methodology: information gathering, enumeration, fuzzing, exploiting binary vulnerabilities, using ready-made exploits and writing your own, privilege escalation, tunneling connections, basic attacks on web applications, automation through writing python and bash- scripts, etc. More detailed content can be found on the website . For most sections there is a set of tasks to be performed in the laboratory and questions with an asterisk, which are suggested to be studied independently.

In general, in the course of passing the course, many problems are solved only after many hours of studying the issue, collecting information from other resources and trying to use a variety of approaches. Merely studying the proposed documentation, watching video materials, and re-typing command examples will most likely not be enough to hack half of the hosts in the lab, not to mention the exam. And this is the whole OSCP, which teaches a greater degree to get to the bottom of the vulnerability and look for a solution on its own, rather than mindlessly reprint commands to the console.

On the other hand, the initial knowledge of the course requires a minimum, so that everything can be gradually figured out. It is also worth saying that as part of the training, you will not get specific skills like writing ROP chains or searching race condition in a web application. To complete the lab and pass the exam, such knowledge is not required in principle, but one way or another, topics are touched upon when performing laboratory tests.

For example, as it still happens in real systems, a host vulnerable to the notorious MS08-067 met in labs. It seems to be all trite, you can use the well-known module from Metasploit and move on to the next goal. But here a problem arises, it is practically forbidden to use the framework on the exam, i.e. if such a situation arises, automatic operation will not work. Of those exploits that were found on the Internet, not one wanted to work, which served to further investigate the vulnerability itself, to study the mechanism of DEP operation in different systems with different service packs, writing ROP chains, etc. As a result, a certain amount of time spent, a lot of fun and a ready exploit for all purposes from WinXP SP0 to Windows Server 2003 SP2, which, however, did not have to be used.

Labs

Upon purchase, you can order access to the laboratory network for 30, 60 or 90 days. If you are new to the field of practical security, or plan to give training no more than 3-4 hours a day, you should take to choose the maximum option. From my own experience I will say that there really is something to do. In addition, the first month will most likely be spent on the study of the theory and the main toolkit, you can learn to write shell scripts, deal with Wireshark, compile exploits for various software, etc. The rest of the time will be taken directly by the operation and parallel study of various techniques and features that are not reflected in the official documentation.

The lab is being tried to be kept as close to real as possible. Systems are periodically updated, there are vulnerable services that are often found in real pentest.

In total, you will have about 60 virtual hosts with a variety of configurations. The network is broken down into related segments: Public Network, Development Network, IT Department, Administrative Department. Only the public network is directly available, to access the rest, you will need to work on proxying connections and forwarding ports.

Each host is somehow vulnerable. Some machines are easy to access, while others need to spend hours or even days. Hacking all systems is not necessary, the main goal is to get as many skills as possible. But if there is an opportunity, I would advise to understand and get the maximum privileges on all machines. And if you have time to deal with PAIN, SUFFERENCE, GHOST and HUMBLE - it will be great at all. You can immediately add a line to the resume, knowledgeable people will appreciate :)

OSCP is a sea of ​​fun, delight, pain and suffering at the same time. Often you can meet questions on the forum or in a chat like “I spent a week working on this host, forgot what my wife looks like and what my dog's name is, tried all the options, nothing works. What to do?". Most often, the answer to this question will be a dry “Try Harder”, or “Enumeration is the key”.

Try Harder is practically the middle name and philosophy of the course. This is a mantra that haunts you throughout the course of the training and becomes the motto after. “Exploit X doesn't compile, what to do?” - Try Harder. “I got access to Alice, Bob, Pedro, but how to get access to Cory” - Try Harder. “I tried all the elevation privilege exploits for Y, but never got root” - Try Harder. And so every time.

And only after an impressive description of the work done on researching the target, listing services, all sorts of attempts at attacks, having felt all the experienced sufferings, the instructor from IRC will give a little hint or ask a leading question. And at this moment there are doubts about the correctness of the choice of profession. How could one not notice such a simple detail or not try a banal way? Why I myself could not guess before?

In general, OSCP also teaches attention to detail and gives confidence that everything can be broken, you just need to find that seemingly insignificant feature.

Exam

Passing the exam is also a distinctive feature of the course. The student is provided with VPN access to a closed network, which is broken for 24 hours and 24 more hours is given to write the final report, which is recommended to include an introductory part, information for management, the entire course of testing and technical details, as well as recommendations for elimination. You should also attach a report on the laboratory, in case of doubt, the examiners have a chance to move the scales in your direction and successfully pass the certification.

The exam has strict requirements: you cannot use vulnerability scanners (Nessus, Acutenix, etc.) or automatic exploitation tools (for example, sqlmap). As I wrote above, the use of Metasploit in some cases is permissible, but strictly limited to the list of modules.

Depending on the level of access received, a certain number of points is given for hacking each host. Judging by the reviews, many of them “fall down” precisely on the task of elevating privileges, so that in preparation it is worthwhile to pay particular attention to this. Objectives also vary in difficulty level. The required minimum is 70 points. As it seemed to me, in terms of complexity, exam hosts were not particularly different from laboratory ones.

In my case, the network turned out to be 5 hosts from 10 to 25 points for each. The first three hours were spent on collecting information, scanning ports and all sorts of enumerations. After this, the attack options were more or less determined. Received the first root for 20 points, another 3 hours later. An hour later, I managed to figure out the host for 25. Then everything went more difficult, because fatigue began to take its toll, and for 2 hours I jumped from one host to another, not knowing what to hold on to. Helped a break for eating and a short walk, after which we managed to find a way to get the minimum rights to the host for 25, and then raise the privileges. Funny, but the last host succumbed to 10.

Total, all took about 12-14 hours, taking into account the breaks. On the following day, a final report (exam + laboratory) was sent to the organizers. Two days later I received a letter about the successful completion and qualification of the Offensive Security Certified Professional.

As for the tips:

• Be sure to immediately start making notes on the material studied, document the entire way to gain access, take screenshots as evidence. Firstly, it will help when the time comes to prepare a final report. Secondly, it will be easier to deal with the exam if something similar happens.
• Most machines on the network can be hacked in several ways, if time allows, try everything.
• Some hosts cannot be hacked right away without cracking some others. If a decent amount of time has been spent, all the technicians have been tried, try asking a question in a chat whether it is possible to access the host directly or pay attention to other goals.
• It’s nice to have a set of virtual machines with different operating systems and architecture on hand - it can be useful when writing or compiling exploits.
• Enumeration is the key. If something does not work, check again whether all the information has been collected. Whether the information from SNMP can be useful, whether the enumeration of users is carried out, whether all ports are scanned, whether the html code is viewed, etc.
• After playing enough with the meta-exploit, try to repeat all the attacks carried out without it.
• At the exam, try to work on the methodology, and not grab at everything. This will help save time and not miss important points.
• Try to practice with vulnerable systems on the list from https://www.vulnhub.com even before purchasing a course. A good start is Kioptrix, Holynyx, Nebula, Metasploitable.
• Check out the works \ subscribe to a friend @ g0tmi1k. Among other cool publications \ projects, he also has an excellent guide to privilege escalation https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

As a conclusion

Practical orientation largely makes the course exceptional. Particularly pleased is the focus on obtaining real skills, and not on memorizing / memorizing the correct options for putting crosses in tests. Two weeks of fun and immersion in your favorite business went unnoticed and even a little pity that everything was over.
Anyone who begins his career in the field of practical information security is highly recommended to take a closer look. And for those who have already been trained in the courses, I suggest sharing my impressions in the comments, particularly interested in the OSCE and AWAE.

Well, a nice addition to the end - "Offensive Security - Try Harder" Song