OSCP training review - April 2022

Introduction

If someone would have told me that I would be an OSCP one year ago, I would not have believed it for two reason 1) I did not even know what OSCP stands for 2) I was not destined at all to be an information security professional. In less than a year, my career made an unbelievable shift that I can’t still believe is real. Great opportunities came to me so fast. I have decided to take some risks and deep dive into this new journey of offensive security. I won’t extend on my background and the series of events that brings me to be an offensive security professional because this story is not the goal of this blog post, but I might say that as a doctoral student in clinical psychology, taking the decision of doing the OSCP is totally unconventional and highly audacious. I passed the OSCP in April 2022, after 4 months of intensive work and study time. At first, I wrote this blog post for myself, to keep track of the progress made with the time and have this reflection about my own learning process. But finally, I decided to publish it since it may be informative for others, or maybe not after all, who knows?! This article is not about my opinion of the OSCP and Offensive Security in general. I think that all the good and bad sides of OSCP have been covered many times in other blogs posts. Now, that this journey is behind me, I want to focus my thoughts on the positive and retrospectively make the point on how I have experienced this training in a constructive manner.?

My study method

This section is about what I have done to tackle the OSCP course material and lab. I do not pretend to have the best study method. There is no secret to pass OSCP although some certified persons pretends to master the best tricks and study method. I adopted a method that worked for me since I know myself well enough as a learner. I know my strengths and weaknesses since I had many previous academics experiences and intellectual challenges. I was confident that although I decided not to follow the traditional OSCP pathway and philosophy I could be successful. I do not regret of having felt my guts and having done things a bit differently since I did not have to take the exam twice.

Since I am a very beginner in the field of information security, my strategy to learn and pass OSCP have been to study carefully as many cases scenarios as possible. At the beginning of my journey, I had not enough experience to root a box by myself. I could barely run an nmap script and I was overloaded with new information. I tried to use my creativity to root the first 20 boxes as Offensive Security suggests us to do, but I could not. I felt that before starting to be creative, I needed to acquire great foundationals and previously have encountered a lot of case scenarios. Trying to root the box by myself lead to successive failures and that causes me a lot of frustration. I did not enjoy at all the learning process at that point, and I felt I was wasting my lab time.

Therefore, during the lab, I’m not shy of disclosing that I relied a lot on the student forum. The forum helped me since a lot of students gives hints on how they rooted the box. I have been amused by the creativity of some students who used poetry and puns to give some hints. As previously said, one of the reasons I relied on a lot on the forum is that I wanted to speed up my learning process since I had only a 90-day subscription to the lab and could not root a single box by myself. I feared of not having the time to complete all the lab if I rooted the box at a rate of one per day. Moreover, I’m also the kind of person who has a very great memory and that do not like to experience frustration during the learning process. For an example, I felt like the lesson of adding the -x flag to the command to find a hidden page when fuzzing did not worth 5 hours of head banging, and a lot of negative emotional affects associated to being blocked on a box. This is very personal to me. I respect people that hate being spoiled and loves this feeling of accomplishment from rooting the box by themselves after long hours of googling and searching. However, I felt that these elements were not essential to me in my learning process. I kept going with my own methods although I felt the judgement and skepticism of some students.

Relying a lot on the forum during my lab time did not mean searching for the answer, running the commands, rooting the box, and passing immediately to the next one. For each 75 boxes of the lab, I wrote a full exhaustive walkthrough which took a considerable amount of time. Each walkthrough describes in detail all enumeration, exploitation, and privilege escalation techniques. I noted all commands used from the enumeration to the post-exploitation phase. I also took note of every attempt tried to root the box and the reason it failed. My goal was to make as much associations as possible between what I have done (action taken) and what I have seen in the environment (the way the web application behaves, the users and their privileges, the links between a service running and a script found on a box, etc.). My belief is that I could learn much more from reviewing and writing down the entire process afterward than banging my head for four hours on a box that I finally failed to root.

As many other students, I also benefited a lot from the incredible content of different learning platforms such as Hack the Box, Try Hack Me, TCM Academy, etc. Adding to the 75 boxes of the lab, I have rooted around 15 boxes on HTB, 20 boxes on Proving Ground Practice/Play. I also pursued both Linux and Windows privilege escalation courses from TCM Academy and Tiberius and took notes of around 50 tutorials from Ippsec and walkthroughs from 0xdhuf. There is a well-known phrase that is “know your enemies”. I took this phrase literally. In the case of passing the OSCP exam, I considered that my enemies are nothing more than challenges designers. To be able to defeat challenge designers the day of the exam, I needed to develop my challenge designer mindset and way of thinking. To set my mind, I felt that I needed to go through a lot of cases scenarios and rooted a lot of boxes. From rooting box after box and making notes of them in a custom-made Excel sheet grid (shared at the end of this blog post), I learned not only to be methodical but also to be intuitive, which in my case is an ability that I had to develop as I am a more “logical” person. ??

Finally, I hope that every student could find its own study method despite not being in line with the Try Harder philosophy or with other student's point of view. Be confident with yourself as a learner, as you know yourself better than anyone else. There is no secret and not a single method to pass OSCP, there is only a method that can fit for you.?

Sharing with others

Offensive Security has an official Discord channel where students can exchange and ask questions about the PWK-200 course material and lab. There are Students Admins who have a guiding role and could provide students some help. I felt like most of them did their best to answer quickly to students and be helpful in the limits of what Offensive Security allows them to disclose. However, students are also allowed to reply to each other’s as well. My advice would be both to not hesitate to ask question in the student’s channel and to help others when you can. Sharing with the community was the part of the journey I enjoyed the most. In four months, I have made friends from all around the world from my current location, Montreal, to Philippines. To be honest, having some new friends to connect with worth the OSCP experience above the course curriculum and the certification. In my opinion, security is nothing else than a teamwork. I truly believe that learning from each other is the key to success, not only to be OSCP certified, but in the security field at large since there is so much to learn and many skills to acquire. From my experience, one of the greatest mistakes that OSCP students could make, especially if he/she is new to the field, is staying alone and Try Harder by themselves. I do not encourage student to be passive in the learning process and waiting for the answer to come from others. However, having a study group and/or friends to root boxes and to do the lab with will speed up your learning process a lot and make the journey less frustrating.?Working in team can be simple as discussing about alternatives paths to root the boxes, sharing tools, methodology strategies, giving technical advice, and above all be encouraging and be morally supportive to others. I assure you that doing your OSCP with friends and colleagues, will make you a way more efficient than doing it alone. I hope so much that I will continue to connect with the one I have suffered with during this journey (hehe) because I’m very grateful to them and I hope I could be of some help for them one day. ?Finally, I hope everyone that are eager to go through OSCP to have the chance to Try Harder Together.??

Social media and Reddit

I will be honest with myself and assume that I fell into the pitfall of social media chattering which increased a lot my anxiety during my journey. I feel like the OSCP in general and especially the new exam format is the vector of a lot of anxiety for a lot of students. Many of them are quite active on consulting platforms such as Reddit and other forums to get insights from other students about certifications. I did the same. Having insights of other's experience can help lower your level of anxiety since you are getting a better overview of what you can expect from the exam and the whole training. However, according to me, these platforms are a double edge sword since the chattering can also have the opposite effect since a lot of students are also venting their anger, disappointment, and failure experiences. I am not against these platform and forums since they can be very informative. However, as any social media, my advice to students would be to consult these platforms while always keeping a critical eye on what is being said. What a person might have experienced is not what you will necessarily experience. We all differ in our way of learning and facing challenges. As in life in general, we should not build our views on only one blog or social media post but rather based on the gathering of evidences. Therefore, if this training was to be repeated, I would allow myself to keep an eye open on these platforms and to participate to the general conversation, but without attaching too much weight on what is being said on these threads.?

The exam day

The exam day was hard mentally and physically. I won’t lie on the fact that I did not enjoy the experience. Thanks to all my friends and colleagues that supported me during the > 24 hour’s exam time frame. Honestly, without rooting from my peers, I think I would have not achieved it. I scheduled my challenge at noon as I am more a night person. As some certified students suggested it on their blog post, I prepared my food the day before and made sure of having great sleep at least three days before the exam. During all the exam, I took breaks every 2 hours. During these breaks, I did stationary bike since being on the move help me a lot to put my mind in order. It also helped me to chat with friends and family. I figured out that I had enough points to pass at 2 am. I was then totally exhausted and tired. I have had cried three time in front of the proctor at that time. I am very sensitive to sleep deprivation, and this was the hardest part for me. I know that Offensive Security suggest having a proper sleep, to eat and take breaks during the exam, but since I had enough points (70) to pass 14 hours after the beginning of the exam, a schedule as normal would not have been possible for me. During the exam, I was very well-organized using OneNote as note taker. I took note of everything I tried even failed attempts. Taking good notes has been very useful for me since I did not allow myself to work on a box more than 2 hours in a row. This constant switching between box helps me manage my time. My objective was to get 80 points in case of any mistakes I could have made. I also did not write the lab and exercises report, so I did not want to take any chance. I got the ten points missing around 8 a.m. Then, I checked more than fourth time that I had all flags submitted and all screen shots required. The exam portal did not validate your flags and some boxes did not have a local.txt or proof.txt, so I was a bit stressed of having missed something. I think this is in line with the Offensive Security philosophy that is being able to deal with a certain level of uncertainty. Unlike my expectations, I have not been annoyed that much by the proctoring.

The reporting phase was the easiest for me. Hopefully, writing and reporting is my strength. I had a lot of issues with both the Word Offensive Security template and a popular one found on Github. Then, I had to be a bit creative for the page layout. I decided to use Obsidian for my reporting. I then converted it into the required PDF format and added some page numbers with an online PDF modifier. My report was not perfect since it did not include a table of contents. Also, since I’m not a English native speaker, I might have made a lot of English grammar and spelling mistakes, but overall all important sections were there. It did not take 24 hours after the submission that I received the confirmation of achievement.?

Factors leading to success

In all fairness, one of the major factors that contributes that I achieved OSCP is my employer that I’m so grateful for. For many OSCP can be stressful and very time consuming in addition to be very expensive. All these bad sides have been mitigated by my employer who gave me time to get trained and paid for my certification. I also never felt the pressure of passing first attempt or to rush my training which lower my level of stress considerably. The only pressure I could have felt during the OSCP is intrinsic. All these factors helped me a lot to go through the OSCP journey and having realistic expectations.

Moreover, although I am born being a motivated person, a great learner and an hard worker, I can’t ignore all environmental factors that helped me to achieve this certification. I have the chance to live in a developed country with a good wireless connection. I have no financial issues and no kids to raise and take care of. I’m in a good health mentally and physically. Therefore, all my time and head space could be allocated to my learning process. These are factors that we sometimes forget. Not everyone starts equally equipped in doing the OSCP and have the same chance to achieve it at the same pace and in the same conditions. Everyone experience the OSCP differently and that’s why I am a bit on hold when it’s time to give advice to others when it comes to “how to achieve it”.?

Finally, I’m also grateful for the incredible colleagues and friends that encouraged me during all my training process from the very beginning. We shared the pain and the joy together. This part of the blog post can seem cliché, but success is never about yourself alone. As you might have noticed, I’m not a fan of the self-made man story.?

Post OSCP

My post OSCP honeymoon did not last long. Few days after I passed the certification, I had to perform real world mandates for the job. The OSCP did not prepare me well for this. The OSCP taught me about how to be a better challenge solver and understand some fundamental concepts, but in fact the pentesting reality is far from what I had experienced in the lab. However, doing the OSCP helped me a lot in a very important way. I am now a way more confident with myself in my ability to learn complex new infosec/computer science concepts. The self-confidence, the sense of self-belonging to the infosec community and the friends I made along the way are the most important things I retained from doing the OSCP, due to that I do not regret having done this training. Some might consider the OSCP as a kind of cultural infosec ritual that any pentester need to go through to feel that they are part of the community, while others might do this certification as a HR gate breaker or to get initiated to some fundamentals concepts related to ethical hacking. There is a lot of reasons one might or might not want to acheive OSCP and all of them are valid. For me, I think the OSCP was the fastest way to gain credibility into the industry. There is a well known phrase in French that is "Tous les chemins mènent à Rome", now I could re-phrase it for "Tous les chemins peuvent mener au pentest". I am a very big fan of unconventional career path and I hope everyone could find their way no matter if it is with or without any certification that you can think of.