How I went from NOOB to OSCP in 90 days
Just like every OSCP experience blog posting, I'm going to start off with a bit of background and dive into the actual experience of the exam. Before starting the PWK course, I was working at a fitness facility, with no idea what the words Kali Linux even entailed. I had some computer knowledge; the basic IT guy for my parents who could barely get Copy-Paste working. But the thought of hacking, kali, and even linux never crossed my mind. However over the summer of 2019 I decided to join a bootcamp based on cybersecurity, and I got accepted and started my first day in October. We learned about basic networking, some linux bash scripting and even some windows terminal commands. Everything changed however when we got our 30-day voucher for PWK.
The first week of November was the start to one of the best experiences I’ve had in a long time. We started our PWK course material which to me was exhilarating; learning different tools ranging from BurpSuite to Nmap, it became an addiction to me. I began researching endlessly different vectors of attack, different tools, and before I knew it I had spent nearly 70 hours within my first week saving cheat sheets, creating notes, and documenting everything I can find. I found it fun, new and exciting. At the start of my second week of the PWK course, I began looking into cracking boxes. My first box within the lab environment was named Alpha, I was told this was a good starter box to learn an abundance of everything from web server enumeration and exploit modification. Thinking about it now, the box would be a piece of cake, but from the initial enumeration to root privileges it took me nearly 10 hours. That might seem like a long time, but to me it was the greatest feeling ever. When you crack your first box, all the time spent means nothing; all you can think about is the trophy, the root flag. The feeling is like no other, and after that first day when I rooted Alpha, all I thought about was which would be my next box, which ended up being Hotline. This box took a bit less time than alpha, although im a bit ashamed to say it took me around 6 hours. Again though, the feeling was like no ever and I just wanted more and more. I then went from Payday to Bob, and then to Mike and Kevin. Within the second week of the course and lab, I had rooted about 9 boxes. It was a great feeling and the absolute grind of it was thrilling.
By the start of the third week, I saw an all around great recon tool mentioned in an OSCP discord. The tool was called AutoRecon. I still use it to this day, and one thing I will mention is before using this tool try to have a good understanding of Nmap and other recon tools as reading the output before actually using Nmap, SmbMap, enum4linux and others will look quite confusing and hard to understand. Other than that, shout out to the creator Tib3rius. It is an amazing tool that definitely, in my opinion, needs more recognition. Again, throughout this week, I had grinded out some more boxes, such as Dj, Jd, and Gamma. End of the third week, I was at about 17 roots. I felt pretty comfortable with trying out one of the Bosses. To my understanding there are 4 boss lab machines, Sufferance, Ghost, Humble, and Pain. I started with Pain at the start of the last week of my lab time. Well based on the name, you can guess this box was pretty much a pain in the ass, having literally shelled myself about 4 times. But in the end with a lot and I mean a lot of headache, I finally managed to root the box. This box single-handedly took me about 5 hours, which at the time felt like a lot because I felt as if I was getting into the flow of things, knocking out boxes every couple of hours. It definitely was a learning experience and would recommend the box as a good ego booster. The next and last lab boss I attempted was Humble. Humble was also a great box however this took a bit longer as it touched on my weak point, which was scripting and programming in general. Although it did ultimately take me around 7 hours to root, I thoroughly enjoyed getting a grasp of the box. The rest of the week, I practiced Buffer Overflow, over and over and over again, due to the known knowledge that one of the OSCP 25 points boxes would be a Buffer Overflow Machine. I got to the point where I can do the Buffer Overflow without watching the PWK course video and felt comfortable enough.
Now that my lab time was pretty much over, I did end up rooting about 20 of the lab machines within the 30 days allotted. I had originally scheduled my OSCP at the end of my lab time, however due to complications with my I.D, I was forced to reschedule at a later date, which happened to be about 2 months later. This did end up being a blessing in-disguise because although I felt confident to take the exam, I did have trouble with privilege escalation. My one main critique of the PWK course would be lack of privilege escalation material. This is where HackTheBox came into play. At this point, being in a bootcamp for cybersecurity, it was divided into sections, we had 30 days for red-teaming, being the PWK course, and another 30 days for blue-teaming, which was based around the CompTia CySa+ certification. I won’t really get into details, however while going through the blue-teaming phase, I would still work on HackTheBox. Once this 30 days of blue-teaming was over, and getting my Cysa+ Certification, I went back to grinding out HackTheBox.
HackTheBox ended up being a life saver for me; the platform being so well built really helped me flourish and gain so much experience. From privilege escalation, to even active directory, I had learned so much. There was also a list posted that were lab machines which were similar to OSCP and PWK machines, which I did end up grinding out a decent chunk of. Doing this list in combination with the 20 I had already done within the PWK lab environment, really excelled me to a point where I knew I was ready for the OSCP. Reading all the OSCP experiences, and how difficult it was I didn't expect to pass on the first attempt, but I will say I gave it my best shot. After 30 days of HackTheBox, doing not only the retired lab machines, but also some of the active machines, I had taken my OSCP.
The day of, was of course nerve racking. I had gotten prepared, had some snacks and fruits on the side to keep me going and started the exam. My mindset going into the exam was, Id scan all the machines with AutoRecon, and begin my buffer overflow. After a painful 3-4 hours, I managed to root the buffer overflow machine. The reason it took me so long was due to tech complications, which I did end up sorting out and finally getting the box, but boy oh boy, was that a confidence killer. Now delving into the rest of the machines, I started with the 10 pointer, hoping it would be an easy 10 points. Well I was wrong, this did take me about 2 hours of painful and constant debugging. I did take about 6 breaks at this point, each ranging at around 15~ minutes at the end of each hour. I would HIGHLY recommend managing your break time wisely. This is what I feel helped me the most; taking a step back when I began feeling frustrated and annoyed, coming back with a fresh set of eyes and starting up again. At this point I was at 35 points, and decided, screw it, I'll try out the 25 point machine. I managed to get a user shell within 15 minutes, and had no idea where to go for privilege escalation, so I went on to one of the 20 pointers. Took around 2 hours to get both user and root on the box, and I started feeling quite comfortable at this point. 67.5 points with loads of time left, I decided to take around a 45 minute food break to chill out and rest my mind a little. Coming back I decided to go for the other 20 point box, and got a shell within 45 minutes. I was extremely happy and ecstatic I had enough points to pass, 77.5. I went to bed for around 8 hours, and decided to take a look at privilege escalation for the remaining 2 machines, but I couldn't really figure out anything and wasn’t progressing. I decided to end my exam there with a few hours left and start on the reporting.
The report, for me, was the hardest portion of the exam. I had done a few reports beforehand to understand the process, but I wish I had done a lot more. The report was extremely gruesome and thankfully I found a really great template to use and piggy back off of. For the reporting process, I jotted down every command used, every modification done, and basically the entire process I took for each machine. I did not include failed attempts or methods however. By the end of my report, I had around 70 pages total, which seems like overkill, but I didn't want the reason for me failing to be the report. I submitted the report with the exact instructions given by OffSec, and now the wait had started. Each passing day, took a lot out of me, but within a week I finally received my email stating I had passed and received my certification. The joy and excitement I had was unspeakable, it was one of the, if not the greatest moment of my entire life. As cliche as that sounds, I had grinded nearly 3 months for this, everyday, learning more and more, and finally getting this certification felt unbelievable.
“We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.”
Some tips I’d give for anyone thinking about, or even have scheduled their OSCP, are research, experiment, and execute. For me being within the PWK course, I wasn't afraid to try things, I mean we pay for the course, so don't be afraid to try. I researched everything, why did this work, and why was this exploitable, how to enumerate this service or that service. It's a constant learning grind, which in the end will not only help you pass, but will help you get a solid understanding. I wasn’t afraid to ask questions in the discord, or the forums. Then HackTheBox, which I owe a great deal of gratitude, really helped me solidify and expand on what I had already known. Do HackTheBox. You will not regret it, and if anything you will make great friends within the community. Something I do wish I had practiced more of, which I urge everyone to practice, is reporting. After every box, do a report, it will help you with getting basic reporting skills while also writing down your process which in turn helps you understand what you did to a greater extent. During the exam itself, definitely time your breaks wisely, if you feel like you’re getting stressed or frustrated, take a break. There's been times where I was feeling frustrated not finding an avenue of attack, but once I take a break and come back with a calmer mind, I instantly find what I was missing. Something I would stress to everyone taking the exam is ignore the negative. Each day you try and practice is a learning experience. Each day you fail to get a box, you learn, and each day you get a root, there is no better feeling.Some Helpful Links:
My HackTheBox Profile
OSCP Exam Template
InfoSec Prep Discord
FullSttack Cyber BootCamp