I would like to share my experience during Offensive Security’s course Penetration Testing with Kali (PWK) and the exam which leads to the Offensive Security Certified Professional (OSCP) certification.
Being interested in the field of IT security for a long time (mostly software security), I decided to subscribe for 2 months lab access and later extended it by one more month.
After receiving the “Penetration Testing with Kali” course material, I managed to go through most of the PDF within the first week. Leaving some of the exercises open to return to when being fully emerged in the labs and have gained some more hands-on experience.
Because of the huge amount of information provided in the course material, it is advisable to take notes and put them into a structured form where the information can be easily retrieved later on.
I followed Offensive Security’s recommendation to manage notes regarding lab machines and exercises in KeepNote. Besides that I’ve assembled a Word document during the course, containing information about different shell commands and tools for quick reference.
The lab itself consisted of around 50 systems, with varying operating systems, patch levels, installed applications and configurations laid out in multiple networks.
At first glance the vast amount of systems to compromise looked daunting, but after some time of network reconnaissance and first compromises, a structure started to take shape. Having a clearer picture, I started to fine-tune my strategy to go after the high value targets and trying to gain quick access to as many additional networks as possible.
The course is designed to be fully hands-on. Offensive Security provides you with enough information to get you started, but after that you’re on your own. No spoon feeding, no easy shortcuts. In cases when you’re really stuck, it’s possible to consult the forums or the support chat. Both may (or may not) provide pointers but never provide solutions. The student is always requested to do the thinking part by himself. Sure sometimes it can be quite frustrating trying to get root access to a machine for days, but it is all the more satisfying once you get root access knowing you achieved it yourself going through a valuable learning process.
Getting past the course requires a huge commitment from the candidate. Be ready to work hard, be curious, embracing new ideas and do a lot of research on your own.
My lab time expired on Saturday early morning and I scheduled the exam for the upcoming Monday. Before the VPN connection was cut off for good, I owned all the lab machines except of 4 of them. Whereas having the feeling that 2 of the remaining machines were close to fall.
Anyways, after that intense final lab evening I decided to get some hours of sleep. The next morning I started to finalize the lab report with the appended exercises and made sure to get some rest on Sunday before the OSCP exam.
Monday morning – The long awaited moment of truth has finally arrived.
I went for a walk, had some nutritious breakfast and was ready to get started.
At the scheduled time of 11:00, the email containing the VPN connection information arrived. Eagerly logged into the exam network and started scanning the machines, while reading the objectives for every single machine.
By around 19:00 I had 3 out of 5 machines fully owned. So I decided it was a good moment for a break, going out for a run and have dinner.
Returning to the exam, being confident to get the last 2 remaining boxes at the same pace. I was so wrong. Cycling through the two machines multiple times, I was just not able to get any foothold into the systems. Nervousness started to kick in, trying all sorts of things but no success.
Around midnight, I identified a potential vulnerability on one of the systems. Still having the Metasploit “Joker” left to use on one of the exam systems, I decided this one was a good candidate for it. So I set up the options, crossed my fingers and fired the exploit against it. Yes! Meterpreter shell opened up!
Very relieved, I started to search for ways to escalate the access level to root but to no avail, so I decided to focus on the last machine within the remaining limited time frame.
Same story again. Repeatedly enumerating the machine from top to bottom, firing different exploits at it, banging my head against the wall, going in circles – No success.
Getting tired, so I decided to call it a day at around 6:30. So I went to brush my teeth and preparing to go to bed. Suddenly I had this feeling I was missing something very fundamental about this machine, so I gave it one more try. Approached it from a completely different angle. Attentively reviewed all the information the machine was offering and suddenly a new attack vector opened up! I followed the path and in a matter of a few minutes I was having a low privilege shell to that system! Even it was only a low privilege shell, I felt very euphoric.
Having reached the amount of points needed to pass the OSCP exam started to become a realistic thought. Being excited about being so close, I just couldn’t give up, so I kept going with trying to escalate privileges until exam time ran out.
Tired but satisfied with the experience, I went to sleep for some hours and then finalized the exam report. The next day I submitted the exam report along with the lab report.
Within a work day I received an email from Offensive Security informing me that I successfully passed the exam and obtained the OSCP certification.
All in all it was a great learning experience. The guys at Offensive Security do a great job in offering a high quality course with a wide diversity of topics and techniques. No two provided machines are alike, every machine teaches the student something new.
The course gives a deep insight into how network penetrations are being conducted. With the knowledge gained throughout this course, it definitely filled the gaps and changed my perspective on IT security.
Continuing efforts and going for the Offensive Security Certified Expert (OSCE) certification now 🙂