OSCP labs

I am almost through my OSCP lab time. I do not expect to pass on my first try. Why? Simple.

It’s fucking hard!

How it started

I wanted my OSCP certificate since I was maybe 24 years old. That is a long time. Back then, it was around $1200. Back then, it seemed like a shitton of money to me, but I really wanted that. It seemed like the Olympus to be conquered, a trophy to grab, and to prove to myself that I actually had what it takes. Back then, But then again, I also believed that every app could be attacked with a buffer overflow, so there’s that.

In fact, the OSCP’s official course name is PEN-200. Why 200? Well, the first number shows the level, second and third show specific areas. There is also, for example, EXP-401 or PEN-300. Both of these are labelled as “advanced” courses, with a 72- and 48-hour exam, respectively. Compared to these, PEN-200’s 24 hours seem like a breeze!

Once I became aware of more than just the OSCP and had a look around, I realized that while the PEN-200 may have seemed like an Olympus before, it is only a stepping stone to greater heights. Still, it’s a very tough exam.

What are the labs like?

If you’re reading this, I hope you watched some videos or read someone more knowledgable on the topic than me; I am barely maintaining my sanity, after all. However, I can tell you what you can see in the labs. IP addresses. Literally just that. IP addresses, and the rest you will have to find out. If you imagine something like HackTheBox, it is similar, but HackTheBox at least gives you a name which may indicate what the box will be about! With OSCP, it’s a literal black box. You get the scope (list of IPs), and you just have to help yourself.

This is a blessing and a curse. If you know what to look for and how to quickly find the first entry point, you’re going to flourish. If, on the other hand, you don’t know what to look for yet, you may struggle at first. That was my first lesson. If you’re only used to HackTheBox, where you get SSH and MAYBE one or two other ports, you may be in for a world of pain. There’s like 7-15 different ports open on almost every machine in these labs! You really need to find an entry point.

The entry points are numerous, but not every box has one immediately accessible. To use information from The art of network penetration testing by Royce Davis, there are level one clients and level two clients. Level one is easy, the entry point is accessible to you. The issue starts when you get level two clients, which you have to get to through another machine. There is no denying the knowledge I picked up in the labs was useful, sometimes even the very next day!

Story time: I was practicing my pivoting, i.e. getting to devices behind a firewall or in a different segment of the network. The exercises made me feel like shit, but I knew it would be useful in the OSCP exam. The next day, my mum called me and complained about some networking issues. Once I heard her out and made her perform some of the things I would do (ping xyz.com, ping an IP address), I concluded that the outage was caused by a PiHole installed (by me, who else) in their network and doing all the DNS work. After about 20 minutes of trial and error to get some remote desktop management client to work, I told my mum: “Hey, try opening powershell and run ‘ssh’, we’ll see if it’s there.” Sure enough, SSH was present in her installation, but she was still stuck behind a NAT and I do not condone my parents opening ports on their router. The solution was obvious: Run an SSH tunnel to some cloud server and provide port forwarding to the laptop I had at home. Opening a dynamic tunnel would be ideal, but I would make do with a powershell. So, I spent the next 4 minutes dictating the command to my mum, opened an SSH port on a server I control and through “high-trust social engineering” I gained access into a NAT’d network. From there, I pivoted to the PiHole, established persistence in the form of a VPN client, and ran the rest of the troubleshooting through the PiHole / jump-box.

The labs may be difficult, but it’s all worth it.

How it’s going to go

As said before, I do not expect to pass on my first try. I have only one IRL friend who actually passed on his first try, and that was the old OSCP exam. Five machines, one buffer overflow, weird scoring. The one I am attempting on December 8th (and 9th) is the “new” OSCP exam, with an extra sprinkle of Active Directory. Honestly, I appreciate the change (it is going to be a bit more realistic than just five standalone machines), but I hate that this change came right when I started the labs.

The fact that I’m not likely to pass doesn’t mean I won’t give it my all. I have learned much in the pursuit of this certificate. I know several people who have it, many who don’t, and while I understand each person’s decision (you may make a killing even without it), understand that certificates are like premium black-tar heroin to me. I love them. I cannot get enough. Even if the certificate expires a few years down the road, I’m okay with it; it just gives me a chance to take it again!

Author’s note: I am currently lying in bed with the coof, so I may be rambling (but then again, when don’t I?)

The exam itself is going to be proctored. That means someone on the other end of the globe (and most likely multiple people) will be watching me through my webcam while I am sweating, cursing, and hopefully shouting SHELLS!!! in the comfort of my home. It may seem intrusive, and while I don’t feel comfortable, I found that after a while, I stop noticing. It may be a hurdle for people who suffer from anxiety, but in that case, I would contact OffSec to see if they can accomodate your concerns. I’m sure they have a backup plan in that event.

For now, I’ll be running through the rest of my lab time while I still can, and think of ways to make the OffSec proctor uncomfortable. Maybe my onesie could again come to good use.