PWK / OSCP - Tried Harder!

I started the Penetration Testing with Kali (PWK) course on Sunday 15 April 2018. It was sooner than I thought I would have done it because I always feel like that there is more that I must do to prep before attempting the course / exam.

However I’ve been wanting to to this for a very very long time, since it was still BackTrack, so no more procrastinating.

I booked 3 month’s lab time. I wanted to spend as much time as possible in the labs. I do have a full time job so I was aiming at doing 3-4 hours a day at night and then full days over the weekends. This worked most days, but there are others when you just dont feel up to anything. But I think in the end I spent most of my time wisely in the lab.

## Course Material

Before you jump into the labs, first go through ALL the course material and do as many of the excercises as possible. This will save you in the end. I was doing the course the same time as another aquintance, and he stuggled a lot because he just jumped into the labs. He didn’t have a methodology down, when he came across certain obsticales he didn’t know what to do or where to look for it in the materials. He ended up wasting more time than it would have taken if he only went through the course material first.

You get a handbook( in pdf) and access to various videos. The first week and a half I spend just going through these materials and doing most of the exercises.

The handbook is put together very well. Their explanations were thorough and no where did I ever wonder what they were trying to tell me.

You have to use the handbook and videos together. I stated with only the handbook and during some examples they seemed to have skipped steps. It turned out those gaps were present in the videos. So for each chapter you read / watch, keep the other close by.

As stated many times before by OffSec and other students, you will not be showed everything. You are taught the basics and then you must use that to do further research to advance in that subject. If you cannot do research on your own, you will have a lot of difficulty with this course.

The first 7/8 chapters went by very quickly for me. It was all subjects I was familiar with so it was just a good refresh. All the subjects were easy to understand. The only one I had to pause, go over a couple of times and scratch my head was the Buffer Overflow. But once I had my head wrapped around it, it was very easy and became the subject I enjoyed the most out of the whole course.

The only “problems” I came across in the material was that sometimes they were using older versions that what you have installed, and sometimes you had to use different options or arguments with commands. But there was always a way around it if you put in the effort to look for the answer. Also the student forum is very helpful if you ever get stuck.

Besides teaching you to be a pentester, they also teach you to learn by yourself. You will always obtain more knowlegde if you are able to figure stuff out by yourself.

## Labs

If you have done any research or read reviews about PWK/OSCP, you would have heard that the best part of this whole experience are the labs.

50 - 60 machines with various OS’ spread over 4 networks.

You start off in the “Public Network”, the network with the majority of the machines, and if you want to try and compromise the balance of the machines, you must find a way into their respective networks.

The labs are a source of great joy, confusion, anger and depression. You go through all these emotions as you progress through the labs. But nothing beats that euphoric feeling of accomplishment when you finally rooted a machine. That feeling is a addiction and is what keeps you going back for more punishment.

Remember that you share this lab with other students. In your student console, you will get a list of the machines you can access, (public network only in the beginning), and when last they were reverted. If a machine was reverted in the last couple of minutes to an hour, then it is likely that someone else is busy with that machine. Just leave it and move onto another one. There are enough machines in the lab to keep everyone busy. I never had the problem of using a machine that someone else also wanted to use. It’s a shared environment so please be curtious.

Compromising the Linux servers and web servers were a lot easier for me than trying to get into a windows machine. I have a extensive Linux sysadmin background and yes, I detest windows. This was one area I was concerned about because throughout my whole career I avoided, and still do, windows. Death to microsoft!

Anyway this was going to be my biggest difficulty / challange in the labs. Compromising windows machines, and then having to learn some basic windows sysadmin so that I can navigate and use it properly. I spent hours reading about finding specific information that was needed to compromise windows and at the end of the course, I had a massive bookmark list with shorts to the various things you might encouter in a windows machine.

I really do not have any complaints about the labs. Sure most of the OS’ and exploits are old and you can argue you wont really find it in the wild, but remember that this is a introductory course, and they use the older version to properly teach you the basics and give you a solid foundation to build on.

During the 3 months I experienced downtime only twice, and it lasted a couple of hours each. Remember this is technology, shit breaks. You can always ask in the IRC channel if anyone else are experiencing the same, or if its just you. You can also email OffSec or ask for assistance in their live chat. Keep an eye on their twitter feed since they always post updates there.

I’ve got so many stories I’d like to tell about specific events during my time in the labs, but unfortunately it involves spoilers to some of the machines, and when you sign up for the couse you accept a NDA with OffSec, so you cannot divulge any details.

## Exam #1

3 Months and a week later I sat down to start the exam. I chose to start at 10am. This would give me time to sleep in, have breakfast, get ready and not rush anything.

At 10am I received a email from OffSec with a vpn connection pack, and the exam started.

In order to pass the exam, you must get a score of 70 points. The machines in the exam are given certain amounts of points, which you can see once the exam starts, so you always have an idea of how many points you have once you start compromising machines. The machines are also a mix of unix / windows with various applications. It’s impossible to guess what you will get so you really have to prepare for everything.

You might think that 24 hours is long, and it is, however you don’t notice it. The hours fly by so fast when you in “the zone”, and this bit me in the ass. I was against a machine which I knew I can get, but it just did not want to work. You know that feeling of you know it’s right, it must work and you will get it very soon, well that costs me so so much time.. I eventually got that machine but I only had 3 hours left and I had 55 points. I got a limited shell on another box, which if I got admin rights, could push me to 65 points, plus my lab report for 5 points and I’d have 70. Alas I could not get admin rights on that machine. I was burned out and things just not click for me anymore.

I was exhausted and quite pissed off at myself for wasting so much time on one machine, and to add insult to injury, the mistake i made on the machine, was something that did cross my mind when i first started with it, and for some reason didn’t test it.

Anyway I knew that I could have passed, so the following week I extended my labs with another 30 days, and book the next exam.

## Labs Extension

Not much to say about the 2nd round in the labs. The booking process was straight forward. A couple of hours after payment was made I got access to the lab again and this time I was more motivated than before. Besides the simple stupid mistake I made the first time, the exam showed me an area I could improve on so I spent a lot of time improving that area.

## Exam #2

11 September 2018, 09:55.. waiting for 10am to start my exam. 10:00 and I receive my connection pack and the game is on. 1 hour in and I had my first machine. It would have been faster but I had to take a lot of screenshots for this one, you have to document every step. Saved the screenshots directly in keepnote; which I used to make my notes with; and save it on a folder just in case something broke in keepnote. Rather be safe than sorry.

16:00; 6 hours in; and I had rooted my second machine. After I finished that machine I decided to take a break and have early supper. At 17:00 I jumped back into the next machine.

At this point I was struggling. After getting two machines in 6 hours was quite a confidence boost. As quickly as the confidence grew, it was broken down even faster. I wasnt getting anywhere and you start to doubt your process and yourself. However I knew the process works so I must just have missed something. I started enumeration on the box again, and went through everything I got, line by line, very slowly. And I finally saw it. The way in. I had the information from my initial enumaration, but then I just skimmed through the information and didn’t take the time to really look and see. It was right there infront of me, I just had to look.

It was not just before 23:00; 13 hours in; and I got the 3rd machine. All I need is just one more box out of the two that was left and this time I had 10 hours left, not 3. I took a quick break just to stretch my legs and just got into the final two machines.

03:00 am. I rooted the 4th machine which pushed me over 70 points! I finally did it! I quickly went over the notes for the machine to make sure it was correct and I went to bed with a very very big smile.

I set my alarm to get up at 07:00. 3 hours left. I reverted all the machines and started working through my notes to make sure I could replicate my notes and root the 4 machines and take additional screenshots where needed. an Hour later and 4 machines rooted again. My documentation was correct. I had a look at the final machine again, but I did not have any luck. Up to this point I have not used metasploit at all, so I decided to give it a go on this machine, however no dice. Didn’t work. However it was fine. I rooted 4 out of 5 machines which gave me more points than I needed to pass. I saved all my documentation, backed it up to a remote server, closed the notebook’s lid and went back to sleep!.

## The Report

The report was rather straight forward. You were provided with a example report which you could use as a template for your own report or you could do one from scratch. I honestly was not up for creating one from scratch. Used the template, added all the screenshots with detailed descriptions on what I did where and if needed why I did what I did. Remember that the examiners will be reading this report so it will have to make sense. Apparently they will be replicating what you did so make sure everything is in the correct order. If it doesn’t work, you will get 0.

## The Conclusion

… And that was it for the OSCP. It truly was an awesome experience. As many people stated before the lab was what made this experience worth while. Sure the exploits might be old and dated, but the point of the OSCP is to teach you the basics and to give you a solid foundation. The real work starts now where you have to build on that. This was the best training and certification experience I’ve ever had and could not recommend it enough.

P.S. sheeesh I started writing this on 11/01/19.. almost 5.5 months later and it’s only going up now. I truly suck with this. No one will probably read this either so I’m basically just talking to myself.. should probably see someone about that.. sigh..