OSCP(+) - Offsec Certified Professional
A year and a few months ago, I passed what was probably the most challenging and certainly the most enjoyable technical exam I’ve taken, Offsec’s OSCP. It’s a certification gained at the end of their entry level PEN-200 course, focused on penetration testing with Kali Linux.
Unlike many exams in the technical sector, this exam is (aside from the writing of the report you must submit at its conclusion) fully hands-on. You have 24 hours to find a sufficient quantity of flags, and you’re expected to find time to sleep, eat and the like within that timeframe.
Offsec are very, very particular about keeping exam information private. They put a lot of effort into maintaining the credibility of their certifications, and so the information I relay here will be a somewhat redacted edition of my own experience and guidelines they have published themselves.
Exam Structure
Inside that 24 hour window, you will have the following targets:
- A set of Windows boxes running inside an Active Directory domain (one of these boxes will be a Domain Controller)
- Three standalone boxes, which will be a mix of Linux and Windows targets
The AD set, in particular, at least has a chance of requiring network pivoting due to some not being on the same subnet as the attacker.
Each box has two flags - one held by an unprivileged user, and one held by the administrator or root user. Each of these flags contribute toward the total number of “points” need to pass, and to claim those points you need to both submit the flags to the exam portal and include screenshots of your obtaining those flags via an interactive console. That means that you can’t retrieve them via local file inclusion or similar, you need a terminal, or remote desktop of some kind. Your screenshot absolutely must show the IP address and the flag together!
Exam Experience
I sat down and kicked things off at 9am. What this actually means is that I sat down at 8:45 and began the whole check in process with the proctor. It’s important to note that the entire exam session is recorded - your desktop and webcam are visible to the proctor at all times - and without that being functioning you can’t continue. You’ll also need to show appropriate ID before you begin - enjoy the inevitable “my webcam won’t focus properly” fun there.
Still, with the administration done, I could connect to the VPN and begin exploring.
Active Directory Set
As the AD set is necessary in order to achieve enough points to pass, I began with that. It was (as I think is standard) an assumed-breach scenario - you are given an unprivileged user’s credentials on one box, and work your way through from there.
I had expected to find the AD set the trickiest to manage - being generally less comfortable with Windows than I am Linux - but actually had all three boxes fully compromised within a couple of hours. I didn’t get stuck in any rabbit holes (hoo boy, later on that changed) and actually came through this section of the exam surprised at how smoothly it had gone.
The one tip I can safely offer is to use Bloodhound when trying to visualise your understanding of the domain. The final step - compromising the DC - was frustrating me briefly before a closer look at Bloodhound revealed I had actually already compromised a user that gave me a path to my goal. As is so often the case, the forest (geddit?) was getting in the way of my lovely view of some trees.
Standalones
Linux
I had a good look at a randomly selected standalone box, which I was pleased to see as Linux-based. This one, this one had a rabbit hole to fall into, and fall into it I did. Eventually - after literal hours - I realised that it must be a rabbit hole and went back to some basic enumeration. You can imagine the kicking myself on finding that the foothold was almost lit up with neon signage, just in a corner I hadn’t yet peeked into. With that access gained, escalating to root was actually very simple, requiring a quick google search of something that was very obviously odd and then exploiting it. This was an irritatingly slow step, but satisfying to complete.
Windows
My second standalone was Windows based, and simultaneously a lot of fun and extremely aggravating. The initial enumeration revealed some documents that clearly shouldn’t have been accessible (the “people” in CTFs are routinely unable to tie their own shoes, I presume) and lead me to the path that resulted in the foothold. I had a username, I had a password, but the vector was incredibly slow to respond, and I needed to more or less trial and error my way to the format in which the username should be specified. Was it just <username>? <domain>\<username>? If the latter, what’s the domain going to be on this standalone box? Will the domain have .local at the end, or something else? The slow feedback loop made this comfortably the most excrutiating part of the exam, and really sapped my willpower. Still, eventually, I got through and had my first flag from this box. At this point, it was 11pm and - without enough points in the bag to pass - I went to bed, intending on picking up again in the early hours of day 2 just in case any extra brainwaves arrive.
The … the other one
The third standalone box didn’t get much of a look. I did some fairly basic enumeration but didn’t find anything obvious, so paid more attention to the Windows box on which I had banged my head for some time already. I could have taken a deeper look into this in the morning, but I decided that - since I had enough points to pass - I’d focus on making sure I had all of my documentation ready (good googly moogly what’d happen if I realised I’d missed a screenshot?).
Report Writing
Your report stating “rooted them all, fam” is not going to cut it, here. You have an extra 24 hours after your exam finishes to write the report, and you should expect to spend most of that time actually doing it. My first draft, looking back, was a little laughable, and I’m really glad I went back and added more meat to the bones.
When writing yours, always try to ask the following question:
Could a technically capable person follow this report and access the flags with no extra help?
If you can give a confident Yes!, then you’re probably ready to go. Include your screenshots, make sure your writing is clear and designed to be read and then package things up as the instructions dictate. This part of the process is testing your (written) communication skills as much as your technical understanding.
Lessons Learned
The real learning was the friends along the way, or something.
No, the lesson I took away from this is probably the same as literally everyone else who passed this exam.
Enumerate. Then enumerate some more.
The only significant rabbit holes I fell into were a case of blowing past the right thing and focusing instead on the wrong thing. It’s important to remember that these boxes are more CTFs than realistic scenarios (somewhat sadly) and that means they’re designed by a human. There is, categorically, a right path and there are very likely some wrong paths, too. An important knack is figuring out which you’re on. Sometimes, the thing you’re looking at seems like a locked door because that’s exactly what it is. If you spend more than half an hour not even sure where else to look, go back a few steps and confirm some basics. Did you scan all of the TCP ports? Did you scan UDP? Did you check for setuid and setgid? To be clear: none of those were solutions in my case, but they are exactly the kind of thing that I did need to go back and double check.
I’d wholly recommend the course and exam to anyone interested in offensive cybersecurity. It’s genuinely fun (if frustrating at times), and the OSCP is a well-regarded cert in the industry.