Offensive Security Certified Professional (OSCP) is an advanced certification in penetration testing. According to Offensive Security, an OSCP “has demonstrated their ability to be presented with an unknown network, enumerate the targets within their scope, exploit them, and clearly document their results in a penetration test report.”
The title is not given lightly. Becoming an OSCP requires taking a difficult course followed by a grueling 48-hour exam that simulates intense real-world situations that threaten organizations.
In order to attempt an OSCP, a prospective student must first sign up for the Penetration Testing with Kali Linux (PWK) course offered by Offensive Security. The course requires lab time–students can choose from 30-90 days. I chose 90 as the course was said to be very difficult. Students are given a PDF guide with exercises throughout and videos covering different techniques. Students then take what is learned in the course material to work through the labs. The course does not give you step-by-step instructions on how to get into each lab machine. Instead, key concepts are covered and it is up to the student to figure out how to apply these techniques in various scenarios. The labs are where the concepts learned can be applied and where the students can put their skills to the test.
The lab environment comprises about 50 machines in four different networks. The student is given access to the “public” network and must unlock the other networks by compromising machines that have two network interfaces. These machines are subsequently used to pivot into the other networks using various techniques. The other networks consist of Dev, IT, and Admin networks. The most difficult network to reach is the Admin network, which can only be unlocked by pivoting into the IT network, then finding the machine in IT that has two networking interfaces and pivoting again into the Admin network. The machines in the labs run the gamut from Windows XP to Server 2008 R2, as well as a wide variety of Linux operating systems. They also have typical services/applications that you would see in an enterprise environment. Automated user behaviors assisted in simulating client-side attacks, such as XSS.
After my initial 90 days of lab time I had only compromised 16 machines. This was clearly going to be an extremely difficult certification to achieve, not to mention very time-consuming. Out of these 16 machines, some took 5+ days to compromise. The labs were made to be extremely frustrating, with many of them requiring stringing multiple vulnerabilities together in order to fully root.
Not feeling very confident about attempting the exam, I decided to sign up for another 30 days of lab time. During this time I compromised 14 more machines, and, more importantly, learned some valuable lessons that made me feel more confident attempting the exam. With 30 machines out of 50 rooted, I felt it was time to try the exam.
This is one of the longest exams I have ever taken. It runs for 48 hours. The first 24 are a hands-on hacking challenge and the other half are allocated for writing a report to a fictional business describing in detail how each machine was compromised and providing recommendations on how to remediate or reduce the risk on each. The student is provided five machines to hack, each with different point values. The student must score a minimum of 70 points in the hands-on challenge to pass the exam.
However, just getting the points is not enough. The student is graded on the report as it provides details on how each machine was compromised as well as screenshots of proof files that Offensive Security puts on the machines. These files are only accessible to the administrative user/root user. Failure to properly document how a compromise was accomplished can result in a loss of points gathered during the first 24 hours. This testing approach perfectly mimics a real world pentest where a business is paying for the report, so it is crucial that the report clearly details each vulnerability and impact to the business if the vulnerability were to be exploited.
I started the exam at 9AM and was moving at a pretty good pace. By 3PM I was able to get a shell (access) on three machines, two of which had full administrative privileges. The third machine caused me a lot of issues. I spent the next nine hours trying to figure out how to escalate privileges from a normal user to an administrative user. I finally figured it out at midnight, but I was still a little short of the points needed to pass the test. I worked on the fourth machine until about 2AM before I decided to try and get some sleep, which didn’t go well. After tossing and turning for 3 hours I got back up around 5AM and continued to work on the fourth machine. Then around 6:30AM I discovered how to compromise the machine and accumulated enough points to move on.
My experience as a pentester definitely helped in the next 24 hours allocated to writing the report. By about noon I had 90% of the report completed. Feeling a little loopy, I decided to try and get some sleep. I set an alarm for 3PM to ensure I did not fall too deeply asleep. After waking up a little more refreshed I finished writing the report and triple-checked everything in the exam guidelines provided by Offensive Security to ensure I did not drop any points. After reviewing my 30-page report I decided it had all the necessary detail and at 6PM it was ready to submit to Offensive Security. I received an email hours later letting me know that the report was received and that the review process would be completed within 3 business days.
About a day and a half later I woke up to an email from Offensive Security letting me know that I had passed the exam and that I was now OSCP certified.
Overall I think this was an excellent challenge and is by far the most difficult certification I have obtained. This is not for the faint of heart and requires a lot of determination, persistence, and time. I would highly recommend this course to anyone looking to get into penetration testing. This certification proves the holder has hands-on skills, something multiple choice tests do not.