« back

A lookback at the OSCP

certs, offsec, reflections

Today marks one year since I got my OSCP, and a year and 6 months since I started learning about infosec. A little over 2 years since I got into tech. 6 months since I started on a pentester position. This is my story, mostly the interesting bits.

Background #

I graduated from a French university in 2016 with a degree in Finance and Statistics and a minor in Information Systems. University was overall an academically dissatisfactory experience, when most of my dreams were hit by the harsh reality of academia politics. By the time I graduated, I ended up in London in full Brexit uncertainty with my employment opportunities suddenly taking a turn for the worse. I ended up hopping countries a few times and finally secured one of those highly desired Investment Banking positions. I hated it. If I had some mixed feelings about finance before getting a job, this experience definitely helped me realize I was in the wrong industry. I had dabbled in programming before to automate some Excel workloads (even to the point where I automated myself out of a job!), so I decided to take a leap of faith and get into tech. Leveraging every single aspect of tech I knew, I crafted a CV and started applying. After a few weeks of applying for jobs during lunch breaks and after 12+ hour workdays and not getting call backs, a company finally got back to me for a DevOps role.

During my uni days, I ended up speaking in front of the Council of British Chambers of Commerce in Europe. It was a terrifying experience. This interview felt worse. Thankfully, the coding challenge was fairly simple (think fizz-buzz level) and the hiring manager was very understanding of my circumstances, so they decided to take me onboard. I remember getting the call during a lunch break where a coworker was trying to convince me not to quit without something lined up. The timing couldn’t have been better. I got back to the office and told my manager I’m quitting, as politely as I could. I wish I’d remember this part better, but I was so stressed and stretched thin, that it’s all a haze, but I distincly remember the feeling of weightlessness when I left my office for the last time.

I spent about 9 months in that DevOps role and I met some great people, learned a lot, and met my current service manager, another great guy, through some internal innovation programs. After coming in 3rd place in the company wide infosec challenge and befriending some of the core team members, I had the opportunity to join the infosec team as a Security Engineer. This role was very different compared to my previous one, with considerably less handholding and more challenges, but I managed through. And I wanted more.

Initially, after getting more comfortable in my DevOps role, I started dreaming about the OSCP. It seemed like an immeasurable goal at the time and I gave myself 3 years of study before attempting it. Less than 6 months later I was passing my CEH exam and another 6 months later I was enrolled in the OSCP.

The OSCP Prep #

I got my confirmation email saying that I’ll start the lab in about a month’s time. This is the moment where the panic started setting in. Bear in mind that by this point I had about a year and a half of working in tech and 6 months of working in infosec, but I had not completed a single CTF or rooted a single box by that point. Getting this email from OffSec didn’t help either.

So, disguising my panic with smugness and ingesting enough caffeine to kill a lesser man, I started doing CTFs. I completed Bandit and Leviathan CTF levels on overthewire.org in about 2 weeks. Then I started looking up the OSCP Lab format and if there’s anything else similar. I found vulnhub and hackthebox. I managed to register to HTB, picked the easiest machine and failed. Spent five days on it and only got the user flag. So I went on to vulnhub, found a OSCP like boxes list and started working through them with a walkthrough on my other screen. I managed to complete a few of them, but the process was entirely mechanical and not much stuck with me. Or so I thought. With 2 days left before the lab, I went back to HTB and managed to secure the root flag on that box. It was enough of a confidence boost to keep the imposter syndrome at bay.

The Good - The Lab #

So, the big day is here. I took about a week off from work and started by spending some hours reading the PDF and watching the videos, eager to dive in. So I started sequentially, trying the first 5 boxes in the network range. I couldn’t do any of them. Hello Imposter Syndrome! I went back to the videos, thinking there must be something in there to help. A few days later, halfway through the exercises and videos, I decided to attempt the boxes again. I managed to get one with metasploit, but no dice on the others. Not great, not terrible. I spend the next week on the PDF and the videos and manage to finish all the exercises that didn’t require a lab box. Back to the lab, and I started making progress. My technique wasn’t anything to write home about, I’d just google every service with a port open and look for an exploit. But it was working and I managed to get about half the student network this way.

The provided PDF and videos are great for easing you into the course, although I really wish we could get them a week or so in advance. I’d recommend spending your first week or two just going through them before diving into the lab. Don’t be afraid to go back to them if you get stuck, they are a solid reference material.

The Bad - The Forums #

After about 20 boxes I’m stuck again. I tried checking out the OffSec forums, but it felt like a trip to the early 2000’s, with power tripping mods (please lay off the delete button Harbringer) and tons of unhelpful posts. Since they’re so overzealous with the delete button, they could at least clear out some of those pointless and meme posts. I know OffSec has made some efforts towards community reach, but the forums are mainly a dead cause.

The Great - The grassroots community #

But hackers have a way of solving problems anyway, so I checked the /r/oscp reddit (which is mostly a cesspool), and noticed a discord link to a server: https://discordapp.com/invite/BUjnWps

And I struck gold. The server was still fairly small when I joined (I was there for the 4.99 boxes meme.), and the people were incredibly helpful - and still are. Not by giving away answers, but by helping you find them out yourself (shoutout to Tiberius and plaverty9 among others!). Not only that I was starting to progress again, but I was actually understanding things and not relying on metasploit.

Study Schedule and Boxes #

As I gradually neared the time to start the labs, I started waking up earlier and earlier. The job I had around that time involved a lot of stress due to various factors and I was too tired to really take in the material after work. So I had to do it before. I started by waking up at 6 am and I gradually dialed it back by about 30 minutes per week until I was getting up at 3 AM. To forcewake my brain up, I’d usually jump out of bed, have a tall glass of water and play a quick Starcraft game. With that done I’d pick whichever box was next in the IP range and spend about 2-3 hours on it. If I couldn’t make any kind of progress I’d move on to another box, but for the most part I was able to clear all the non-dependency boxes in sequential order. I would do that until around 9 AM when it was time to head to work where I managed to trudge through the day and have all my daily meals until 6 PM when it was time to head home and either try some idea I’ve had over the day or just try to relax a bit. By 7 PM I was asleep. When I started the lab I used to also hit the gym before work, but by the end of it my daily cycling to work and back was my only means of exercise. For note taking, I mainly used CherryTree, making sure to back it up every week or so. I used this template: https://github.com/devzspy/oscp-certification/tree/master/Note%20Taking%20Tools/CherryTree%20Template

Following this rather intense schedule, I finished the entire lab with about two weeks to spare, so I went back and redid some of the boxes with my newly gained knowledge. Noteworthy is the Dev network range, which is an absolute pain. The big 4 are fun and not as impossible as they seem. Jack is by far the hardest box in the lab and you start feeling like a god once you get foothold. I also schedule my exam about 4 weeks ahead on a Wednesday and request 2 days off from work for it. Looking back at my experience, this was probably the worst decision I made throughout the course. I was exhausted from the grind and I still felt like my knowledge was a bit hazy, so I decided to head back to hackthebox. Back then the VIP didn’t allow you to roll your own box, so I had to make do with whatever was up at that point. With the help of ippsec, I went through most of the windows boxes and I felt like I had a better chance. This turned out to be an excellent idea. With 3 days left until the exam and feeling absolutely wrecked, I decide to rest.

Exam day #

Big day is here. I’d feel nervous if I weren’t so damn exhausted. Anyway, I go through the setup process. Word of advice here, I’d get a good webcam before the exam. I borrowed a 720p webcam from work and it was a bit fuzzy at showing the contents of my room. The proctors are very cool and understanding, so don’t worry about that. Exam started and I launched AutoRecon on all the boxes while working on the BOF. It took me about an hour to finish the BOF after a small hiccup. Checked the scans and noticed that I got a mix of Windows and Linux boxes, all pretty new. I start with the 25pt windows boxes and get user pretty quickly. I try to root but no dice. I switch to the 20 pt linux box and get user on it too. By now I had up to 47.5 points, 3 hours into the exam. I try to root the linux box but no luck there either, lots of rabbit holes. I turn to the last 20pt box, and after some struggles, I manage to get user on it and root too in about 3 hours. I’m 7 hours into the exam and I have 67.5 points if users are half the points. I’m starting to relax, I even take a short break. My happiness was short lived, as that’s where my progress halted. I spent the next 10 hours trying to root the 10 point box, and then the other 7 hours trying to root the previous boxes. Nothing. I should’ve taken a break and slept for a few hours, but I was too hyped and on way too much caffeine. There is no good ending. All the points I got were in the first 7 hours of the exam, and that seems to be the norm among other exam takers. I slept for a few hours and spent most of the next day writing the report and hoping the exam points and the exercise report points added up to enough to pass. Again, I would’ve felt stressed if I weren’t so exhausted.

I spent the following week in a daze, just trying to catch up with the stuff I missed at work. I received the email that I passed on a Tuesday, but my mail filter moved it to spam so it took another 2 days until I found it. Needless to say, the feeling was surreal. Definitely one of the happiest days in my life. From practically 0 IT knowledge and even less infosec knowledge to OSCP is just about a year, I felt proud of myself.

Learning path #

Plenty of tools got added in the past year, to the point where we are spoiled for choice. Regardless of what you do, there’ll be a lot of learning by doing. If you are entirely new to linux, consider doing bandit at https://overthewire.org/wargames/bandit/. Once you have the basics down, you can move on to HackTheBox (HTB) or TryHackMe (THM). VulnHub is also a great and free alternative, especially since it got acquired by OffSec. Personally, I haven’t used THM yet but I heard a lot of great things about it. I’ll stick with HTB for now.

TJNull has compiled a great list of OSCP-like boxes from both HTB and VulnHub which can be found here: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0 Feel free to rely on ippsec for any retired HTB boxes. For vulnhub, you’ll have to find the writeups yourself.

Once you feel like you can tackle most Easy boxes from that list and a few Medium ones, you can stop by the OffSec proving grounds here: https://www.offensive-security.com/labs/

At this point you should be more than ready to sign up for the OSCP labs. I’d suggest going for 90 days and allocating about 4-5 hours/day on average. There’s a lot of content, but your priority should be clearing all the non dependency hosts in the public network. Try to refrain from spamming metasploit and keep it for boxes you’re stuck on.

Tools and recommendations #

Join for the infosec prep discord: https://discordapp.com/invite/BUjnWps Remember to respect the rules and ask questions in the appropriate channels. People will be happy to share their knowledge and answer your questions and you might make some great friends!

While OffSec will supply you with a kali VM, I’ve only used it for the exercises and then used my own. I’d suggest getting used to tmux, as it can greatly help managing your terminals. You can find my tmux conf here: https://github.com/robsware/tmux-config/blob/master/.tmux.conf I mainly designed it to work with my pok3r vortex mechanical keyboard, but it works reasonably well with standard keyboards too.

Start doing write-ups for your boxes as you go. Not only this will help you for future reference, but they’ll also be good practice for the final exam.

You may also consider doing some mock exams. Pick any 3 random Medium boxes, 1 easy one and any BOF exercise of choice (I used brainpan from vulnhub) and see how far you can get in 12 hours. Going for the full 24 hours can be daunting and most people make most of their progress in the first 12 hours regardless.

Lastly, take snapshots! Take them often! I bought a spare HDD that I used just to store the snapshots and I’d take one every two days. Probably overkill, but it came in handy a few times when I managed to brick or damage my kali box beyond repair.

Final Thoughts #

Offsec have managed something quite remarkable in making a course that’ll teach you how to think like a hacker. The course can often feel like it’s not going very deep and you’ll often hear people say it’s an “entry level” cert. As much as you may feel like decking those people, try to understand they use a different frame of reference and/or are exceptionally skilled. While the exam price hike left a bit of a sour taste, you still shouldn’t be afraid to fail the exam. I went in fully expecting that I’d fail but somehow passed on my first attempt. There’s plenty of stories out there of people that failed multiple times and still came up on top.

At the risk of going full nerd, I’ll say that the OSCP is the Dark Souls of infosec certifications. It’s well made and fair, designed to help you grow stronger, and it only hurts you because it loves you. Just like Dark Souls, it had a large community to help you and taunt you with “tRy HaRdEr” until you feel like quitting. Remember to take breaks when you feel overwhelmed, the OSCP is a marathon, not a sprint. One that might just change your life, as it certainly has changed mine.

The OSCP is a tough exam that will make you suffer. It is designed to test your entire arsenal, your ability to manage your time, energy, to think outside the box, to prioritize and triage findings, to pay attention to details and recognize rabbit holes and to present your findings in an easy to understand report. Passing it will leave you in an elevated state of being, with a solid knowledge of the main skills required for pentesting and with substantially better career prospects.

Remember, Try Harder!

Post OSCP #

Once again, my happiness was cut short by 2 massive work projects that required considerable overtime and weekends of work and took another 3 months to complete. It was at this point, after almost a year of working/studying 120+ hours weeks, that I was completely burnt out. I couldn’t even look at a piece of code or an nmap scan without feeling like throwing up. December rolled around and business slowed down enough to give me time to ponder. Tech was great, but I couldn’t bring myself to even write or read a line of code. It was like my brain was full and refused to accept any more new knowledge. I took this as an opportunity to catch up on some videogames. January rolled in, and I was looking for a more engaging game and stumbled upon Eliza. I fired it up, my interest piqued by a Zachatronics game that wasn’t some sort of puzzle.

I don’t want to say I was hooked. I didn’t finish Eliza in a day. I finished it in a week (about 6 hours of gameplay). Eliza deals with a lot of interesting themes, but the one that resonated with me was burnout in tech. It forced me to ponder a lot and thing back upon my life so far. As the game progressed, so did my memories spring back into view. I picked up my diaries from across the years and went through all the difficult decisions I had to make and all the risks I had to take to get there. But most importantly, of all the joys and discoveries I made along the way. The protagonist and I had very similar stories, to the point where I joked with a friend the writer must have access to my email account, and as she went through her attempt to figure out her burnout, so did I. Eliza, ironically enough, was very therapeutic for me and reminded me again that videogames are an artform. By the final chapters, I was feeling good. I remembered how fun tech can be and the virtually limitless potential. The cyberpunk novels, the feeling of making something despite having nothing. By the time I finished Eliza, both me and the protagonist were ready to start again. I put the game down and opened VS Code. 2019 was an incredibly difficult year but I still had some fight left in me.

Shortly after this “epiphany” I managed to secure a pen-tester role and kept working on a number of side projects, including a smart router, a discord chatbot with ML features, this very page and some experiments with cellular automata. I feel again like a kid discovering all the fun things I can do with a few lines of code. And I’ve been in that state of mind ever since, mindful to take a break every now and then, managing to hit Pro Hacker rank on HTB and consistently be in the port swigger hall of fame. Got my CRTP, currently studying for my OSWP and planning to sign up for the AWAE in a couple of months. Progress certainly gives me some solace from what is happening outside, and I’m already dreaming about tinkering with some other projects after my AWAE/OSWE. Remember that in those strange times more than ever, burnout is real and it can happen to all of us, so keep your head above the water and know when to take a break.

Stay nimble.