Zero to OSCP in 292 Days... or How I Accidentally the Whole Thing - Part 2

Intro

After writing part one and not expecting anyone to read it:

https://blog.mallardlabs.com/zero-to-oscp-in-292-days-or-how-i-accidentally-the-whole-thing-part-1/

I got bombarded on Slack, Twitter, and Reddit with:

"I'm looking forward to reading the rest of your story!"

"Hell of a story. You need to get part II up ASAP"

"Dude! You can't leave me like that! :("

"WHERE IS PART 2?!
Holy shit, man. Your life is so interesting."

"Bro I didn't realize their would be no infosec in part 1. I feel bamboozled."

Sorry to keep you guys waiting, here comes the actual infosec/OSCP meat and potatoes. NO BAMBOOZLING.

I probably should have split this into a three part blog post, but I think people would lose their shit.

Thank you again to Steve Becker for his ninja editing skills:

https://twitter.com/CowbellSteve

Future Crimes

Future-Crimes

At some point in 2016 I bought and read Future Crimes by Marc Goodman:

https://www.amazon.com/Future-Crimes-Digital-Underground-Connected/dp/0804171459

Tldr; Everything is vulnerable, we're all fucked, and oh yea there's a huge shortage of infosec professionals.

That's when it clicked, “Wait infosec is a valid career path?” I don't know why it never occurred to me. I graduated high school in 2003 and college in 2007. I didn't even realize this was a possible career, I mean, OSCP wasn't even created until 2006.

I can break shit and get paid for it? I've always loved problem-solving, whether it's been video games, putting together an investment portfolio for a client, or playing online poker and trying to figure out my opponent.

If someone gives me a VM, challenge box, or CTF, and tells me to break in, or that I won't be able to beat this, my first response is don't tell me what I can't do.

NCC Group

Web-Application-Hacker-s-Handbook

The first thing I did was email maybe ten of the largest infosec and pentesting firms in NYC, saying "Hey, I'm interested in infosec, how would I go about getting my foot in the door with no education, experience, or background in it?"

All of them sent emails back roughly saying "good luck" or "thanks, but no thanks." Except for one, NCC Group. I got a nice email back saying "Hey, what's your address?" They mailed me a copy of The Web Application Hacker's Handbook, and said, "Let us know when you're ready."

Me being my challenge-loving self, this lit a fire under me.

I started going to NCC Group Quarterly meetups in NYC:
https://www.meetup.com/NCCOpenForumNYC/

and OWASP meetups:
https://www.meetup.com/owaspnyc/

TOOOLNJ and Central NJ Infosec

highres_454579711-2

I got into lock picking as a hobby, since it's often a skill used by red teamers.

I went to my first TOOOLNJ (The Open Organization of Lockpickers) meetup:

https://twitter.com/toool_nj
https://www.meetup.com/TOOOL-New-Jersey/

At my first meetup I met Shawn Sheikhzadeh, Ben Smith, and Matt Keyser, and we instantly hit it off.

https://twitter.com/darksim905
https://twitter.com/bensmith83
https://twitter.com/matthew_keyser

When I felt bad hijacking the meetup and blabbing about infosec the whole time, I casually mentioned how it's bullshit that all the good meetups are in NYC, and we have none in NJ. The group was in agreement, so I suggested why don't we start our own meetup.

Birth-of-Central-NJ-Infosec

That was the birth of our Central NJ Infosec meetup:

https://twitter.com/nj_infosec
https://www.meetup.com/Central-Jersey-Infosec-Meetup/

We have something like 250 members, and about 10% show up each month at the Bridgewater Library or whichever venue we choose if we can't get the library. Usually we end up going out for food afterwards, where we shitpost IRL until everyone realizes they have to go to work in the morning.

I just want to thank Shawn, Ben, and Matt for all their hard work and dedication. I may have gotten them pumped up to start a meetup group, but they do all the heavy lifting. They do a great job making sure we have a speaker, a venue, and food or ordering pizzas for the group. All I wanted was to have a local meetup I could go to, and they made it happen, and continue to bring their experience, knowledge, and guidance every month. <3

BSidesPhilly 2016

BSidesPhilly_black22

I signed up to go to my first security conference, BSidesPhilly, in 2016 and attended with Ben and Matt.

It was an amazing experience meeting so many hackers with very different backgrounds, working in all different facets of infosec, who all were getting together because of their shared passion.

I got the chance to talk to actual pentesters, where I could explain my background and what I was looking to do. I asked for advice on how to get my foot in the door, and they all pretty much told me the same thing.

“No one is going to take you seriously without OSCP.”

OSCP Research

pwk-box-medium

I had already known about OSCP for a while at that point, but was only casually considering it.

After trying to read The Web Application Hacker's Handbook and it going over my head, I decided I needed some type of formal training.

I bought CompTIA Security+ and CEH study guides on Amazon and tried to get through them, but thought to myself, “Okay, if I read these and sit through a multiple choice test, it may help me get through an HR filter, but I still have no idea what I'm doing.”

Not wanting to go back to college in my thirties, I started Googling practical and hands-on infosec certifications and exams.

I devoured forum, blog, and Reddit posts.

It looked like there were three options: SANS, Offensive Security, and a third company, eLearnSecurity.

SANS courses cost something like $6,000 to $6,500 and were definitely out of the question for me to pay out-of-pocket.

OSCP is widely regarded as the gold standard of pentesting certs, but reading the syllabus and blog posts, the cert seemed really difficult.

eLearnSecurity

eLearnSecurity

After lurking a bit on TechExams.net:

http://www.techexams.net/forums/security-certifications/

It seemed like a popular path was eJPT > eCPPT > OSCP

eLearnSecurity Junior Penetration Tester:
https://www.elearnsecurity.com/course/penetration_testing_student/

eLearnSecurity Certified Profession Penetration Tester:
https://www.elearnsecurity.com/course/penetration_testing/

Since the eJPT is $399 for 60 days of lab time and you can learn at your own pace, I figured it was a small investment to see if this was something I really wanted to pursue.

The course content was great, it was set up with slides and videos as an online classroom, and there are forums where you can ask the instructor questions. The thing I like about eLearnSecurity most of all is the labs are dedicated to you, where no one can revert your machines on you while you're working on them. cough OSCP and HackTheBox cough

I was hooked, with this being my first experience with online labs, CTFs, or any kind of pentesting. I think I banged the course out in 2 weeks and took the online pentest exam in a few hours and passed.

Next I moved on to eCPPT, even though I didn't use all my lab time in eJPT I signed up for 120 hours of lab time for $1299.

It was much more difficult than eJPT, not necessarily because the content was harder, but just because of the sheer volume. There are 14 hours of video training material, over 5500 slides, and 27 labs in Hera Lab.

I had a very hard time with the buffer overflow section, but it was not due to their teaching. I just underestimated how big of a part it would be on the exam.

The course took about 90 days, and the exam was different from eJPT. You have one week to do a pentest of the exam environment and then one week to write and submit a pentest report. They have a great guide on writing a pentest report and Armando Romeo, eLearnSecurity’s CEO, has a post in the forums that made me chuckle.

A student asked, "So for the eCPPT exam report can we follow the format of Offensive Security's MegaCorp One report?

Armando replied "Wait, wait, wait.”

“That is not a pentest report. It's an ‘attack narrative’ as written in that PDF.

If you like fiction books and you want to write one then I'll gladly read it, but not approve it.

A pentest is not just a tale about you getting root (companies can buy Kevin Mitnick's books if they wanted that), because getting root is not what a pentest is.

A pentest report is a different thing, so let's not confuse people: follow OUR pentest report methodology.

Thanks"

attack_narrative

It took a few weeks for them to grade my pentest report once I submitted, but I got an email with a PDF of this badboy:

Jeremy-Chisamore-eCPPT

OSCP... I wasn't ready for this

Pre-OSCP Chaz:
Jeremy-Chisamore-2
Post-OSCP Chaz:
what-year-is-it-1

I signed up for PWK/OSCP on 4/4/17 for a start date of 4/29/17, and I took my 4th exam attempt Valentine's Day 2/14/18, submitted my passing exam report on 2/15/18 and got the email confirmation I passed on 2/16/18.

Ok so some of you might be doing the mental math here, 14 days of eJPT, 90 days of eCPPT, and OSCP in 292 days is not Zero to OSCP in 292 days. To that, I have no response, but yea you are right.

  1. Zero to OSCP in 396 days doesn't sound as sexy.
  2. It's too late to change it now.
  3. This is my blog, so tough shit.

Why I'm writing this blog post

I had never made a post like this on Twitter or Reddit before this, mainly I just lurked and commented.

I made a Twitter post when I got confirmation I passed that got a lot of attention:

Twitter

As well as a Reddit post here on /r/netsecstudents to answer any questions that people may have, and it very quickly jumped to the 6th top of all time:

Reddit-1

People started asking me to write a blog post about the experience, so here we are. I'm sorry, but you guys asked for this.

Finally what you've been waiting for

What did I learn?

What I wish I could tell younger Chaz

One of the Twitter All-Stars I follow posted "OSCP got me feelin like a faker right now" and another one replied "It was much easier when I took it back in 2007", when I tried to find it, it had been deleted:
OSCP-Faker

Made me feel a little better but still didn't help me in any way.

What I wish I could have told my past self:

  • Don’t abandon programming in high school
  • Take this cert in 2007, it was easier back then
  • Take this while you are still employed
  • Stop doing everything the hard way
  • Take better notes idiot

Programming is so much sexier today with mobile, IOT, Raspberry Pi, etc... All the cool projects out there, I feel like I have to play catch up now.

General OSCP Thoughts

  • Know what you're getting yourself into, took me 292 days full-time
  • This is not a “I’ll study on weekends” cert
  • I have no idea how people do this with a full-time job or have a wife ands kids
  • Expect late nights/early mornings, lunch breaks, 4-16 hour days
  • Your significant other and friends and family are going to be pissed
  • What’s a social life?
  • Be comfortable with python and scripting, general networking, and sysadmin tasks
  • Get ready to rage, Offsec are known to be trolls. Their motto is “try harder”

Make sure you have good music

The OSCP is a fucking grind, that being said, it was the best fucking grind of my life.

Pandora-1

Shameless plug for pianobar, a console client for the personalized web radio Pandora, that also has a Windows port if that's your thing (I am not affiliated with them in any way):

https://github.com/PromyLOPh/pianobar

Pianobar

OffSec IRC Channel

I didn't spend much time in the OffSec IRC Channel but do have a funny story.

Day One I ended up getting into trouble, they have a hint bot in the IRC channel where if you type !name where name is the hostname of the lab machine, the bot will spit out a vague hint that doesn't really make sense but once you pop the box you're like, “Ohhh I get it now.”

So me being my idiot self, I didn't want to be blatantly obvious and write a script to get all the hints for the lab boxes, so I slowly typed the names in one by one every once in a while.

An admin caught on and I wish I took a screenshot, they said "Chazb0t abusing the hint bot is not a valid enumeration method. ಠ_ಠ"

Meat and Potatoes - OSCP Prep

beating-a-dead-horse

I'm not going to beat a dead horse here, there are a lot of OSCP Prep guides out there, most of which are very good.

https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob.html

https://tulpa-security.com/2016/09/19/prep-guide-for-offsecs-pwk/

http://niiconsulting.com/checkmate/2017/06/a-detail-guide-on-oscp-preparation-from-newbie-to-oscp/

I think a lot of people try to over prepare, but there's no substitute for just jumping in and getting your feet wet. 99.9% of the learning is in the hands-on labs.

Your Google-Fu is going to become next-level. (Also StackOverflow is bae <3)

Books

Penetration-Testing

Like I said earlier 99.9% of learning is in the labs, however some people prefer to learn from books. Here are some books that were helpful to me.

Mandatory:
Penetration Testing: A Hands-On Introduction to Hacking - Georgia Weidman
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition - Dafydd Stuttard and Marcus Pinto
Optional:
The Hacker Playbook: Practical Guide To Penetration Testing - Peter Kim
The Hacker Playbook 2: Practical Guide To Penetration Testing - Peter Kim
RTFM: Red Team Field Manual - Ben Clark
Hacking: The Art of Exploitation, 2nd Edition - Jon Erickson

Practice Labs

hackthebox-1

HackTheBox was not around when I first started, I wish it had been so maybe it wouldn’t have taken me 292 days and four attempts to pass OSCP.

These are the closest labs I've found that are similar to the OSCP lab environment, with some of the machines having similar solutions.

I recommend paying $10/mo for VIP, it costs the same as Netflix and there are less users sharing your labs than the free version, so there’s less of a chance they'll revert a machine while you're working on it.

PentesterLab is more educational than just a playground like HTB and OSCP labs. It also has practice labs and challenges. I learned a lot from them.

Again, for minimal investment you are going to get your money's worth.

I did fewer of these than the previous two sites, but it’s still a super helpful free resource. You can download boot2root VMs, and there are walkthroughs to help you through if you get stuck.

Abatchy has a good guide on which Vulnhub VMs to focus on:

https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms.html

I wish I had known about HackTheBox and PentesterLab before I started eLearnSecurity or OSCP, but they weren’t around or were very new when I started.

Between my 3rd and 4th OSCP exam attempts, practicing on HTB and PentesterLab was the difference between me passing and failing.

Disclaimer: I am in no way associated with any of these sites.

Reconnoitre

reconnoitre

https://github.com/codingo/Reconnoitre

by https://twitter.com/codingo_

This script was also not available before I started, and I didn't find out about it until I was towards the end of my OSCP journey.

Usage example:
reconnoitre-usage

Output:
reconnoitre-output

Recommendations:
reconnoitre-recommendations

Youtube Videos by IppSec

https://twitter.com/ippsec
https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA

Another gem I didn't find until the end of my journey is IppSec, who is a fucking wizard. He has something like 34+ walkthroughs of retired HackTheBox machines. I learned so much from this guy that it's insane, and I will be eternally grateful.

Not just pentesting techniques, but little things too. I had no idea about tmux, I would just have a bunch of terminal windows open and tile them like the scrub that I am:

For the longest time when I got reverse shells I would suffer through using non-interactive shells until I learned about upgrading to interactive shells from IppSec:

python -c 'import pty;pty.spawn("/bin/bash");'
CTRL-Z
stty raw -echo
fg
ENTER

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Exam Format

https://support.offensive-security.com/#!oscp-exam-guide.md

Everything I'm sharing here is well documented multiple places online, the exam is 5 boxes of varying difficulty, scored 100/100. You must achieve a minimum score of 70 points to pass the exam.

You have 24 hours to perform the penetration test on the 5 boxes, and then another 24 hours to write and submit your report.

With an extra 5 bonus points available if you submit a lab report alongside your exam report.

There are two 25 point boxes, two 20 point boxes, and a 10 point box.

Low-priv is partial points (amount unknown, I'm assuming 10 points), while root is full points.

One of the 25 point boxes being the buffer overflow box.

"You may only use Metasploit Auxiliary, Exploit, and Post modules against one target machine of your choice.

Once you have selected your one target machine, you cannot use Metasploit Auxiliary, Exploit, or Post modules against any other machines."

Exam Scores

It took me four attempts to pass the exam, the first three attempts I didn't bother submitting a report because I knew I didn't have enough points to pass, even after my 5 bonus points:

  • 8/2/17 - 35 pts (25pt Buffer Overflow box, 10pt box using Metasploit)
  • 10/5/17 - 45 pts (25pt BOF, 10pt Metasploit, 20pt low-priv)
  • 12/19/17 - 55 pts (25pt BOF, 10pt Metasploit, 20pt)
  • 2/14/18 - 80 pts (25pt BOF, 20pt, 10pt, 25pt)

The last exam attempt I didn't even use Metasploit, I had been purposefully working towards not using it as a crutch.

Lab Report

For the love of God, please take good notes from the beginning. My note taking was atrocious, by the time the exam rolled around I had to go back and re-root 10 unique machines from scratch because my notes were so bad, all so I could document my steps to get an extra 5 bonus points. This is the last thing you need to be doing before an exam attempt.

Failed Exam Attempts

My first exam attempt I scheduled for 9 AM, I figured I would start early because your first waking hours are your most productive. I would work all day and pull an all-nighter if I had to. This was the worst idea in the history of ideas, partially because I hadn't pulled an all-nighter since high school or college.

I didn't take enough breaks, and got burnt out pretty quickly. By the time 3 AM rolled around I was a zombie, I hobbled over to the bedroom and climbed in bed trying not to wake my wife. I had set my alarm for 6 AM, my alarm went off and I hit snooze I don't know how many times.

I got up to watch the last couple hours of my exam tick away, and it was one of the worst feelings watching the clock run out and knowing you have failed before it's even over.

I don't want to say my life has been easy, but I have never failed at something I have tried my hardest at and wanted so badly. I felt pretty defeated and discouraged, but refused to give up.

Second exam attempt I scheduled it for noon, and roughly the same thing happened. I did better than the first attempt, but still sat there watching the clock run out and staring at the screen feeling like a failure.

Third attempt I had an idea, I scheduled the exam for 3 PM, that way I could work for 9 hours until midnight. Sleep for 6 hours, get up at 6 AM and work another 9 hours until 3 PM. It broke the 24 hour pentest into two nine hour days with six hours of sleep in between. This was my best attempt yet, I got so close I just needed at least one more low-priv to skate across the finish line.

Final Exam Attempt

The difference between me passing and failing was in between lab extensions, I hit HackTheBox and PentesterLab hard. HackTheBox was amazing, it was like OSCP labs but only costing me $10/mo and there was no stress, no $150 lab extension, and much more relaxed. I sat through all of IppSec's YouTube videos, things really started clicking and I was getting more efficient trying to mimic his methodology.

I could learn at my own pace and really be like a sponge, and the same goes for PentesterLab. I worked my way through their essential badge, and Web for Pentester 1 and 2 modules.

I was ready to extend my OSCP labs one more time, I shelled out another $150 for 2 more weeks of practice labs and scheduled my exam for the only date they had available, Valentine's day 2/14/18. I apologized to my wife, but this was it. After failing a 4th time they make you wait 6 weeks between retakes, so this was my last stand.

I don't care if I tear another artery and have another stroke, I'm going to pass this fucking exam if it kills me.

Because this was my 4th time taking the exam, I got the buffer overflow box down to under 30 minutes. The first time it took 4 hours because I was copying and pasting something from the PDF and the formatting was getting messed up without me realizing it.

I also think I passed within the first 4 hours, 25+20+10+20(lp) should have added up to 65 plus 5 from my lab report would have put me at 70/100.

I wasn't about to leave it up to chance, I spent the next 12 hours trying to privesc to root on the 25 pt box. Finally with 90 minutes to spare I got it for an 85/100 with my lab report, I spent the last 90 minutes trying to get the remaining 20pt box.

I wanted so badly to get 105/100 just because OffSec put me through this ordeal, but I was unable to find a way in, so I'll settle for 85/100 after my lab report. ¯\(ツ)

Final Thoughts

I had originally signed up for 90 days of lab time which was $1150, an exam retake was $60, but a 2 week extension of the practice labs is $150 with a free exam take included. So with the 3 extensions the total came to $1600, plus a couple months of HackTheBox and PentesterLab subscriptions at $10/mo and $19.99/mo. Let's just call it $1700, be aware that the initial fee you pay might not be the total cost if you are paying out-of-pocket or your employer is paying.

Factor in the Exam Retake Cooling Off Period, if you're trying to schedule your life or work around the exam:

1st failed exam - 1 week
2nd failed exam - 2 weeks
3nd failed exam - 3 weeks
4nd failed exam - 6 weeks

I think that about covers it, I apologize again for making you guys sit through this massive blog post, but you guys asked for it.

Don't let your dreams be dreams, don't let anyone tell you what you can't do, life is too short to do something you hate.

Obligatory Shia LaBeouf:

Thank Yous

Dostoevsky and Sullbrix for letting me be an author on this blog so I didn't have to host my own or use medium.com:

https://twitter.com/dostoevskylabs
https://twitter.com/sullbrix

Triple thank you to Steve Becker for his ninja editing skills:
https://twitter.com/CowbellSteve

Another special thank you to Sullbrix for being there to answer my stupid questions, commiserate my failures, and cheer me on from the sidelines. I had never met him in person before I passed my exam, the kindness of internet strangers can be incredible.

Special thanks to the founders of Central NJ Infosec for running the meetup and giving me a place to go every month to meet new people, and talk all things infosec:
https://twitter.com/darksim905
https://twitter.com/bensmith83
https://twitter.com/matthew_keyser

As well as all the members of CNJInfosec who are too numerous to name one by one, for making me laugh and encouraging me through the tough times.

Thank you to my amazing wife Kristen for putting up with my crap for the last 9+ months, and my friends and family for their never-ending support and believing in me.

Finally, thank you Offensive Security for the most challenging, frustrating, and rewarding learning experience of my life. They provided the rollercoaster, and the most amazing playground where I learned more than I ever thought possible.

I am more proud of this than anything I've ever done.