sobota, 16 lipca 2016

OSCP

Recently I managed to pass the Offensive Security Certified Professional exam and became an OSCP. I will not go into detailed review as there are plenty of them available out there. However I would like to share a bit of my experience and maybe a bit of advice to those of you who hesitate.

It is worth to start from the beginning

It is a hacking course so you may want to start hacking in the first place. Unless you are already skilled penetration tester, I would advise you to go step by step the materials first. And by that I mean reading the material from particular chapter, then watching the video from that chapter and then writing the homework report part (if there is any - but for most chapters it is). It should pay on the exam when you will encounter something that you somehow did not try or exploit successfully.
What I did wrong, was watching all the videos and then reading materials and after that doing the homework. I doubled or tripled my time spent on the tasks.

Start with the low hanging fruits

Yeah, I hated that sentence. But after you finish all the homework, the lowest fruits should be obvious, you are even encouraged to detect some of them. After that I really did not know, what to attack next. You may think that the forum may help and it helps in detecting the most difficult targets. But there is no key to detect the easiest ones - I just tried hosts from the beginning of the IP range to the end. Many of the machines took me about a day to hack into it, despite the forum users writing about being stuck.

Fail fast and furious

You have to learn to fail fast (but not too fast, of course) and to grow that sport kind of anger in you. Some of the machines just ARE difficult (for you) and it may be reasonable to move along to the next machine when you cannot move further for a day or so and to come back later and show that f*** virtual host that you are the one to master it :) Just take notes as you go so you can start from the place of failure.

Take notes, create report

As a penetration tester you will learn that what is your client paying for is not a hacking into their infrastructure but a report. So do your report from your homework and do report from a particular host just after rooting it. Do not wait as you will definitely forget something and your notes may not suffice. After the lab you will book the exam and what is needed then is the rest without the stressful experience of creating 200-300 pages of lab/homework report. My report was 200+ pages and it is nothing special, there are reports of 300+ pages from the lab depending of your writing skill and screenshots taken. Such a report not only gives you additional points on exam but will be helpful during the exam.

The target network

The lab network contains many hosts but it is not the target. Your target is the admin network and you have to get to it. In my opinion it is really worth it, especially because it is a perfect environment to overcome the difficulty of pivoting and running payload in another network.
I personally managed to own about 75% of that network and found it to be a lot of fun and challenge.
All in all - the lab's purpose is to simulate the real company with real segmentation.

The extra time

I bought 90 days of lab. It should be enough to hack into most of the machines, however I failed to use that time well. Family issues, work issues, the need for rest etc.
I also failed to notice that each prolonging of the lab gives me free exam attempt. Therefore I probably could pass an exam at least one month earlier.

The exam

Kick off all your family - you really need 48h of quiet, peaceful environment. You also need your stuff such as all the monitors, mouse etc. Plan the exam earlier to be able to book the morning hours (about 10 am should be fine). My first attempt started about 18:00 and it was way too late. Exam is very challenging and during the exam I learned and mastered the hacking technique which I didn't have opportunity to meet in the lab (and it was barely signalised in the lab). Do not forget about sleep. I failed to rest on the first attempt and that resulted in the brain overusage.
Write your report in detail, take your time. I am meticulous so it took me about 6 hours of work in total.

The failure

I was sooooooo close, couple of roots, couple of unprivileged shells and a good idea how to attack the rest and the time finished. Not enough rest and a bit of bad luck.
On the second (and final) attempt I was able to do almost all hosts in full and the last one - It was very close but I lacked about 5 minutes. The key really is to take the rest or even a nap or two. Try harder, but not too hard, as you have to use the 100% of yourself and not resting is the recipe for failure. After the second attempt I was quite sure that I passed but  only when I received the email from offsec I understood why the OSCP community is like war veterans. Only those who tried harder know that feeling :-)

Was it worth?

Definitely yes. I learned how to write a professional pentest report, how to effectively own hosts and what to look for. Before the course I thought I knew quite a lot. During those months I learned a lot more, especially about Windows which I normally do not use at all. Learned not only about hacking but also about the pentester's routine. All in all - for almost half of the year I was a part-time pentester hacking into medium-sized organisation. I really loved that feeling of gaining root privileges, hacking into another networks... Pure pleasure.
I also enjoyed the exploitation part (OSCP is just scratching the surface) so I will probably take my chance and Crack The Perimeter - we'll see.