Today was the last day of preparation prior to taking the OSCP certification exam. Tomorrow I enter the arena, square off against five targets, and see if I’ve got what it takes to take home the prize. The following day will be spent revising my report and ensuring everything is in good order before finally sending it off to be judged. Within 48 hours, I’ll have a pretty good sense of how well I did. Within a week, I’ll know for sure.
I’m fully prepared to fail the first attempt. I’ve worked hard, studied hard, and learned a great deal, but this is some pretty complex material. The OSCP certification wouldn’t be as valuable as it is if it wasn’t difficult. Each machine is like a handcrafted, one-of-a-kind puzzle-box, with no instructions or guidance. I’ve got to solve five unique puzzle-boxes in 24 hours.
The best I can do is practice on VMs that I expect are similar to my targets, and hope that the skills will carry over. Which is exactly what I’ve been doing. After my PWK lab time ended, I spent some time tackling Hack the Box, then practicing Buffer Overflow design.
Today, I took a “practice exam” designed by Nate Curry. I had a little difficulty getting the lab set up, as one of the VMs was designed only for VMWare (and was broken) while the rest of the VMs were designed to work with VirtualBox. So after about an hour, I had four of the five VMs set up, and I was ready to get started.
At noon I began my practice exam. That gave me approximately six hours before my wife got home, after which point “hacker time” would be over and “family time” would begin. Today was my wife’s birthday, and we had a big evening planned. I figured that six hours wasn’t optimal, but it would at least give me time to root one, maybe two boxes.
I started AutoRecon scanning the network, determined which machine hosted the Buffer Overflow challenge, and began the process of writing a new Buffer Overflow exploit. Having practiced with BOF design so much in the last couple days, I had the process down smooth, and I managed to finish my exploit within 45 minutes. Escalating to root was quick after that. 1 hour in, 1 box rooted. Not a bad start!
I returned to AutoRecon to check on the results, exploring each system and probing for weaknesses. The “practice exam” came with a text file containing the “true names” of each machine, as well as their point values, but I didn’t want to look at the machine’s names, otherwise it might spoil the fun. So I wasn’t sure which IP went with what point value, nor which machines were considered “easier” targets. So I just went through them in a linear fashion, starting with the lowest IP.
I rooted the remaining three systems within the next four hours. There were some fun little twists and challenges, a few twists and turns and false leads, but on the whole they were pretty straightforward.
At 5pm my wife sent me a text saying she was coming home. There was still one machine I hadn’t yet rooted: the one that only works with VMWare. I tried booting it up in VMWare, but it didn’t want to load. I re-downloaded the entire 3 GB archive again to ensure the VM was clean, and it still wouldn’t load. So I spoiled the surprise, figured out what machine it was, found it on VulnHub, downloaded a fresh image, and finally got everything set up, with only 30 minutes to go before my wife got home.
Even if I’d wanted to cheat and read a tutorial, I didn’t have time to find a good one and follow along on my own network. I figured I probably couldn’t beat it, but I would see how far I could get, and I wouldn’t seek help.
35 minutes later, I was doing the “root dance” and celebrating the fact that I’d beat the practice test in only 6 hours. I hadn’t expected to beat two machines, let alone all five!
Then I switched out of “hacker mode” and into “husband mode” and we went out and celebrated my wife’s birthday and had a great evening with friends.
All in all, a damn good day.
I expect that the OSCP machines will be significantly more difficult than today’s practice exam. I expect to be bruised and bloody when I reach the other side. But today’s practice test has shown me just how far I’ve come, just how much I’ve learned. And it feels pretty damn good.
I’ll likely be “radio silent” the next couple days, but I look forward to posting more tutorials and walkthroughs in the coming days.
Anyway… Big day tomorrow. Time to get some sleep.