Have you ever purposefully put yourself in a situation that makes you run around the house in glee, and then five minutes later makes you want to put your head through a door ? No ? Maybe you should try OSCP. If being constantly told to “try harder” doesn’t make you want to embed a brick into your eye socket, then maybe this is for you…
After much research into the Certified Ethical Hacker course, the term “OSCP” kept cropping up in my google searches. OSCP… OSCP… what is this mythical OSCP of which you speak !?
Offensive Security Certified Professional. Possibly one of the most intensive self learning course I’ve had the privilege of spending my hard earned cash on. The only course that gives you a full lab environment to compromise - with no less than 50 VM’s of varying shapes, sizes, OS and vulnerability levels. Ranging from simple boxes that can be compromised with a cough, to boxes that make you tear your hair out for days while looking for a route in. I am not allowed to go into detail about the labs, or individual machines, but I can tell you there are some absolute brain teasers in there.
So, lets rewind a bit. Personally, I’ve not really spent that much time using applications like Metasploit or similar. I’ve got a fair amount of computer and network knowledge, plus a logical mind - how hard can the course be ? I read up on people’s experiences and it seemed to be the course for me (I have no significant other, or kids, therefore I could spend 6 hours every evening sat in front of my laptop - like a real hacker !), so I pulled out the ol’ BarclayCard and signed up. Now I was into the waiting game. You have to choose a starting date, on which you’ll receive an email providing course materials (more on that in a sec) and VPN configuration.
Connection to the labs is via VPN, which is incredibly stable considering the amount of traffic you send through it - this is a testament to the skill of the OffSec admins. Once you’re VPN’d in, the labs are your oyster.
The course material is very professional - a PDF of nearly 400 pages, plus over 150 videos - which cover varying pentest techniques from port scanning to SQL injection. It’s a bit daunting at first, but Muts walks you through each example with a soothing voice and with clear concise instructions. He’s like that awesome science teacher you once had at school - you know the one.
The techniques you learn in the videos/PDF are only a small part of the learning required for OSCP. It is expected that the student performs self study via other resources. Varying blogs, google searches, wikipedia etc can be used to expand your knowledge, and I found myself initially looking for a particular technique only to disappear down a rabbit hole of related exploits, techniques and vulnerability disclosure write ups. When they said “self study” they meant it !
Other than learning an immense amount of skills, I’ve met some amazingly clever people via the provided IRC channel (#offsec on Freenode). The channel is full of admins (who you “ping” when you need a hint), alumni and students. I found that certain people were always online when I was, and we naturally teamed up to pool our resources and excitedly boast about compromising the complicated boxes. Those people were also a sounding block for when the course got too much, or the outcome looked like it was completely fruitless. Sometimes just talking to these guys resulted in a different path opening up and a compromise minutes later on a box I’d wasted 3 days on.
As a personal challenge, I decided I would root every single box available to me, which I achieved. My final report (which you have to write and submit) was 388 pages long just for the labs ! The exam is the pinnacle of the whole process, where you’re given 24 hours to compromise a subset of boxes to get points. I’m not saying you chase after the numbers, but it’s very tempting to try and get every point possible.
After 8 hours into the exam (of which the latter 5 hours were just me going nowhere) I had compromised 1 box. I was ready to give up, but the aforementioned people I’d met in the channel urged me to continue and virtually slapped some sense into me. Within a further 2.5 hours I’d accumulated enough points to pass. I decided to quit while I was ahead and write my exam report. A further 40 pages of documentation was added, and submitted to the OffSec team along with my lab report. Now I had to wait for my result…
My result arrived on the 1st April, in the afternoon (I guess so it didn’t look like an April Fools joke). A pass - that’s all you’re told - there’s no score, no feedback on your report. Just that wonderful sentence that tells you you’ve passed and are now OSCP certified. Nice.
In the 4 months I spent doing the course I have laughed, I’ve cried, I’ve stressed out, I’ve jumped for joy. I think I experienced every kind of emotion. It was fun going into the office and printing out a new diagram showing the new boxes I’d compromised the previous evening. The thrill of being able to explain some of the techniques to people I work with and have them sit there in awe at the cool stuff I’d been doing.
So, what next ? Well - the next step is OSCE. But that’s for another day.