Published: 2020-01-15
This page shows a short summary on my work of the PWK course and the OSCP
certification. My certification ID is: OS-101-47316.
Please be aware, this post is about my certification early 2020.
Many people asked me questions about "the lab". - How many hosts are there? - How much of lab time do I need? - Is it like CTF? - Is it hard? - I can only answer some of the questions from my point of view. To begin with, I've had 120 days of lab time. This was due to me being very busy at work and was hardly able to spend about ~15 days (full time) in the first 90 days. I then was lucky to be off work for a month and could focus strictly on the PWK lab. In the other 30 days, I was able to root every lab machine which is there. - Is this needed? - No. - Was it fun? - Yes. When you start the course you receive some hours of video material covering the course topics, plus a PDF covering the same topics sometimes with different examples than the videos. The PDF has some exercises. I've had some experience in infosec and pentesting from my work and CTF. Still I wanted to see if I could learn something new from the course materials. Also, refreshing memory wasn't bad.
To work through the videos - Hint: you can speedup playback to 1.5x or 2.0x - and the PDF took me about 2 weeks, read as 10 full time days. Here, I also did one part of the lab report, which would grant you up to 5 bonus points on the exam. - You have to document every exercise in the PDF to get them + document rooting 10 of the lab hosts. After watching the videos, reading the PDF, trying examples and doing the exercises I was starting with the lab. - To say here, at some points during the PDF/videos I tried some methods against lab hosts already. - So, how would I approach the lab?
The lab consists of multiple hosts which you receive the IP range for. It is possible to see which hosts are there when you check the student forums. - You can also find (sometimes misleading) hints on there. What I had done was to check available hosts and then start from the lowest IP to the highest. For me, the biggest challenge was to get used to do the same thing again and again, not only that but also to do it correctly and document everything. Run scans, nalyse results, know what vector you would checkout first for a possible attack. For attacking and rooting I tried to stick with the OSCP guidelines. So I always tried to create proofs and screenshots. Also, only use Metasploit when demanded from the PDF or there was no easy to port exploit.
Biggest critique you would read on the lab, is the outdated software used. For me, it wasn't too bad. You have similar methods in a pentest, not depending on if the vulnerability is 2 weeks or 3 years old. Only time where it is a bit sad is for privilege escalation. Having shell access on a host you would always check windows update state or Linux kernel versions to get an easy kernel exploit going. - I went down that route way too often, specially when no other obvious PE method jumped into my sight. Maybe here I should have tried harder at more times.
Taking about trying harder. I've mentioned the student forums before. They are a great place to discuss hosts, hints, and attack methods. But and there's a big BUT, don't go there too soon. Checking posts for hints spoils the fun massively. Even if it's just which service running to target or if the PE exploit is to be compiled or not. It takes away a lot of experience you would gather in another way. - For me it was, go there when really stuck. - How would I find out? - Well, I've tried to keep it at: When I am out of ideas and running in circles for about an hour or two, I would check the forum to a point where I would find something new. Go back to the host, continue, return in case I wasn't able to find anything and so on. I might also admit here, that I caught myself way too often giving up and checking the forums, especially when I was doing host later in the day.
To start with, I passed the exam after about 11 hours. Would I recommend it? - Yes, it was fun, afterwards. The stress situation you put yourself in, because it is a 24 hour hacking exam, reminded me a bit of 24 hour CTFs, with the biggest difference, there was a goal I had to achieve, on my own.
I started my exam at 8:00, to add here, I am a morning person, if you rather get up late, you might want to start at 12 or even later, also depending on if you plan on sleeping during the 24 hours, which I recommend. I started my first day by getting up at about 5:30, shower, and have a good full breakfast. Checked news, twitter etc. before the exam started. Just like a day at work.
About the proctoring: I was really fine with it. Basically you would login at a website, share your screens and connect your cam. Some person will ask you to move the cam so they could see the room and then you have to show some ID to the cam to verify it's you. Afterwards you are good to go. The conversation with the proctors would always be via chat. They were friendly but conversation was down to a minimum, hello, good luck, good bye and requesting a break every once and so often.
During the exam I would take a break every one and a half hour. Refill my tea, go to the bathroom, go for a walk, have lunch, have dinner, etc. - Don't forget, you can take as many and as long breaks as you want, so take them! - As I've reached over the needed 70 points after about 11 hours into the exam I could even take a sleeping break from 22:00 to about 4:00. When I got up again, I had my last host left but I felt stuck there still and decided to rather make a good report until the end of the exam. Also, because I wanted to make sure to have documented everything correctly. As the exam VPN would be terminated after the 24 hours.
A small hint for the beginning of the exam. One task is really straight forward and also well documented in the PDF. As it takes some time to do it properly and report it, I recommend to start with this and let some scans for enumeration run against the other exam hosts in the meantime. Another hint, for during the exam, if you feel stuck for too long, move on and take a break. Getting your mind on other stuff might just be the right thing to solve the problem later on. At least for me, this method worked during the exam.
For my exam attempt it took them about 1 day to send me an email saying I've passed. I was really happy but still annoyed I will probably never find out how I could have continued with the last host. For others it might take longer to receive the info, still I think their stated 10 business days is quite okay. At least better than what I was used to from some professors at uni.
During the PWK course and the OSCP exam I've used some tools which were not mentioned in the materials:
For pivoting between networks: sshuttle
For running automated scans (especially for the exam): AutoRecon
For writing and porting exploits: pwntools
For Linux privilege escalation help: linprivchecker
For Windows privilege escalation help: windows-privesc-check
During the PWK course and the OSCP exam I've often checked the following resources:
Linux privilege escalation: g0tmi1k
Windows privilege escalation: fuzzysecurity, absolomb
Windows / Linux Local Privilege Escalation Workshop: lpeworkshop
Home | We <3 Developers | About us | Generated with pagegen.py