Oscp Journey
11 May 20212016: I heard rumors of a very intense hacking course when I was 18. I didn’t believe it at the time, as high school kids can be full of fairy tales, and I still thought hacking was overall illegal.
2017: I was talking with my college’s Cybersecurity Instructor (an ex-pentester), and he recommended I looked into company named Offensive Security. Long and behold, there was the, “Penetration Testing With Kali,” course. I thought I could ace the course in one go after taking my ethical hacking university course (which equated to throwing msf at a wall and hoping something sticks). I was very wrong.
There is going to be a reoccuring theme of failure in this post, so get ready…see if you can spot my problem.
Everyone always recommends the HackTheBox List from TJNull as preparation for the course, so I decided to start there. I couldn’t be bothered to do the starting challenge, so I googled the solution and got in.
From there I knocked out Jerry almost instantly. “This is gonna be too easy,” I thought. I never popped another box for two months. The forums are pretty useless, and I wasn’t on Discord yet as I was nervous about being harassed for being new. “Nessus Free and OpenVAS scanning didn’t reveal any vulnerabilitie, so these had to be advanced attacks!” (That sounds funny to hear, but I am willing to bet a lot of CISOs actually think that) I don’t remember the exact order from there, but I got a few more easy boxes after looking at super vague Reddit posts of other people getting stuck and using context clues. This was a pretty big ego kick. I kept myself motivated by listening to OSCP story Youtube videos, and reading OSCP blog posts.
2018: Through some community service I do, I met a an ex-MITRE researcher who was willing to help show me the ropes. I don’t think I could be in Infosec without this individual. You know who you are! ;) I took one step backwards to take two steps forward. I learned a lot of broad topics covered in the course syllabus from DWVA such as SQLi and XSS along with being gifted a copy of, “Pentesting Testing: A Hands-On Guide To Hacking.” At the same time, I got an internship at a malware research company where I got a deep primer into malware analysis and RE. This gave me a love of malware, made me familiar with the Win32 API, and comfortable living inside of IDA Pro/ debuggers - despite not knowing how to program outside of Python3. For the first time in my journey, I really felt like I was making progress. The internship ended in the Summer of 2018, and I still talk to a few analysts there to this day. My parents were both injured and were handicapped at this point on, and I was taking care of them while working toward my bachelor’s degree - all while working at a managed security provider (MSP). This caused me to take a break from learning while I knocked out the bachelor’s degree by doing double classes on top of my other work.
2019: Shortly after graduating with my Bachelor’s degree, I was laid off from the MSP for downsizing. While this wasn’t optimal, it gave me the free time to start PWK. Around 30 days into my labtime, I found myself newly employed on a DFIR team for a large organization where I still am today. The IR team lead was enrolled in PWK the same time as me. It was great to assist each other in working through topics such as the Buffer Overflow, and getting nudges in lab machines.
You think I would have learned my lesson on taking shortcuts in 2017, but you’d be wrong. My strategy for the labs was to b-line the extra points documents, and do as many boxes as possible. This was good in theory, but I wouldn’t even attempt the box before reading it on the PWK forums. I justified it in my head such as, “Well, I want to know what the box is about,” but I knew in the back of my head it was a shortcut. I used Sparta/Legion to quickly enumerate boxes and do all the enumeration for me. Technically, it was fair game. I’d usually ask my team lead about the boxes a day or so after being stuck as well if Sparta wasn’t useful.
My lab time ran out, and I had conquered about 20 boxes in the public subnet. Everywhere I read said anywhere between 35-50 to be ready, so I was a bit nervous; however, I assumed I could automate myself through it. Surely, it wouldn’t be that bad and my sleepless nights wouldn’t be for nothing.
Attempt 1: I started my exam around 12 P.M. The proctor was super friendly, and I got to work. I started with the buffer overflow, but had issues and never got it despite practicing several BoF cases such as vulnserver, FreeFTP, SLMail, etc. This broke my morale and scared me. I eventually managed to pop a 20-point box around 5 P.M. which helped me calm down. Around 2 A.M. I quit the exam, and hung my head in defeat, spending the rest of the night sobbing. By 4 A.M., I was upset enough to punch studs in my wall, and bloody my knuckles (which required a trip to get bandaged up).
2020: I went back and practiced Buffer Overflows. After looking at my notes and command history, I knew why it wasn’t working. I had used the “script” command to log all my terminal history during the exam for review. I also bought more lab time, and did the rest of the first lab subnet without hints including gh0st, pain, and sufferance. I was planning on doing humble my last 3 days of time when tragedy struck. I joined a few hacking discords, swallowing my pride with being helped and/or getting harassed, which led to me becoming active in the InfoSec Prep, and the offical HackTheBox Discords. My last 3 days of lab time and a couple days before my second attempt, my girlfriend at the time was, “attacked” (if you know what I mean, I’m sorry) which extrememly messed me up mentally. I was extremely depressed, and drinking a lot in my free time after this. I was not in a healthy state of mind and it caused me to take a week off of work to recover.
Attempt 2: I was in a bartering stage of grief where everything would be okay if I could just pass this attempt. This attempt started at 2 P.M. The buffer overflow was completed by 3:30 P.M. One pro-tip for speed is to really know all of mona.py’s functionality. One 20-point was footholded immediadely after. “This could be the attempt,” I thought. Not even 2 hours in, and I already had 40 points. I hit a mental wall around 7 P.M. where the other 20-point box was footholded and rooted. I had 60 points. Just one more flag, and I was done.
That flag would never come. I could’t get any other flags, and at 1:45 P.M. my exam stopped. An exam report was still sent in. I knew how to escalate privileges on the 20-pointer, but no matter how hard I tried, I just couldn’t quite get it to work. OffSec sent me the fail e-mail, and I was back to being in a bad place. I didn’t eat for a couple days and felt sick. There wasn’t any point in moving.
I needed to prep more. At this point it is Summer 2020. I enrolled in Virtual Hacking Labs to get more practice in, since I screwed myself out of the PWK labs by using the forums incorrectly. I made an unspoken rule that I couldn’t get a hint unless I was stuck for 3, 1 hour long attempts at a box on different days. This isn’t a VHL review, but I may do one in the future (I got their certificate of completition). During that time, I needed help on one box, and a user in my DMs said, “you’ll never get your OSCP if you don’t work harder.” It was true, and it really bothered me…but they were right.
Attempt 3: If you’re still reading this, congrats! You made it to the good part. I started my attempt at 10 A.M. The buffer overflow was conquered in 45 minutes, and I got a foothold on a 20pt box 45 minutes later. I never did figure out what the heck I was supposed to do, and that box still haunts me a bit. Moving on the the other 20pt box, it was rooted in about 30 minutes and was pretty straightforward. I hit the 60-point mark. Just one more flag. Just one more flag.
After bouncing between the 25pt foothold, the 10pt foothold, and the 20pt root, I finally popped the 10pt box after playing around a bit. I celebrated by getting some Fajitas, came back home, and wrote my report. It was finished around 12 A.M. and I went to bed. I woke up at 6:30 A.M., and I tried getting the other boxes…but no dice. The report was submitted at 9:15am Sept 1st, and I waited for the results. Admittedly, I wasn’t in the best mental health, and matters were worse. September 10th my dog was put down, and I told myself that I couldn’t handle it anymore if this was a fail, and I was going to consider a new niche in Infosec. Then…on September 11th at 2 P.M. I had received that glorious pass email, and went out for steak.
The reoccuring theme I mentioned at the beginning was taking shortcuts that were ultimately my downfall. I cheated the enroll on HTB (when I really wasn’t ready to be in there yet), and I abused the forums to get insight on the boxes. Shortcuts ruined the experience and the potential learning curve I could have had which costed me in the long run. I wanted to run before walking, and someone wanting to get into the field just can’t. We all want to be the next IppSec or John Hammond, but even they started somewhere. It’s okay to be stressed out, and stuck on machines. Hacking takes time, and is thankfully difficult. If it were easy, we would all need new SSNs. While I love the tutorials online for CTFs, they don’t show the struggle in the background. They are done ahead of time, and the direct path is shown. Researching the vulnerability/app takes time and it’s okay. It’s not a speedrun. Don’t rely on enumeration tools. Everyone loves AutoRecon/Legion/linpeas, but it’s important to be able to do the enumeration manually in the background. Know each component, and don’t use it as a crutch. It’s okay to ask for help (in moderation). Don’t ask because you want the answer, ask to make progress. You don’t learn by getting the answer quickly, and as much as it sucks, get used to being uncomfortable and uncertain where to go. Staying calm is what makes a good pentester. Take breaks. No one is pointing a weapon at you forcing you to pass. It’s okay to go at your own pace.
While this post isn’t super technical in nature, I hope it does provide some insight on my OSCP journey, and some students can walk away with its lessons.
“Hop” to see everyone next time.