Well, I completed my OSCP lab time in late December and it was a great experience. I had to devote countless hours during the 3 month lab time to completing the exercises as well as attempting to break into as many systems as possible. Overall the training was excellent with the provided materials being very well organized and explained extremely well. I was already well versed with various techniques used in the class, however my experience outside of Metasploit was somewhat limited. The prohibition of using metasploit modules against most of the exam systems really motivated me to break into all the systems without the aid of Metasploit; I did however use meterpreter to make persistence a bit easier.
Through the experience I found various systems quite easy to own, but others definitely proved to be a challenge. During the course of my 3 month lab time I managed to get into all but two (Humble and Sufference) systems which are some of the most difficult systems in the lab environment. However, I needed a little more time to finalize my report (yay forgetting a couple key screenshots) I elected to extend my time by another two weeks. Sadly, due to a hectic work/life schedule I had to delay this extension, and the exam by far too many months.
Finally May rolled around and I had enough spare time to really devote the two weeks to finish my lab report as well as take the exam. Once I finally extended I managed to complete my report while only using one of my 14 days. This left me with plenty of time to work on the final two systems, both of which I already had a really good idea how to get in. Fast forward another 3 days and I was very happy to have rooted every box in the lab environment! At this point I finalized my report which included all systems, a grand total of 500 pages of gitbook produced PDF, a huge undertaking.
I decided to take my exam during the long Memorial Day weekend, taking Monday to do the exam and leaving Tuesday to work on the report. During my lab time I realized quite quickly that I needed to make my report in conjunction with attacking the machines I proceeded with the mentality that I would take extensive notes and screenshots at all stages. I did not want to run into the situation where I would have passed my exam but failed due to missing a critical screenshot. I must admit, while I felt very well prepared for the exam I was extremely anxious due to, what I felt, was a lack of definition as to what was expressly permitted and prohibited during the exam. Interesting note, when I took the exam the use of meterpreter was allowed on all systems, but post/aux modules were restricted to only one system. This liberty was part of my anxiety, as the definition of what constituted a post module was a little gray. After some research I found that the only real functions that was allowed at all times were the upload/download and shell functions. This was good enough for me. On an interesting note, they have changed the exam rules to state that meterpreter is only allowed on one system, while this may seem limiting it is probably more liberating than anything else.
Exam Day
I elected to take my exam starting at 8:00am in my timezone. I got a good night sleep before and woke up nice and early to ensure I had time to eat a good breakfast and get some coffee brewing. As soon as I got my connection package I started enumeration and looking through the slightly different exam web interface. Around 9:00am I had my first box rooted and confidence was high. 30 minutes later a second system fell, and an hour and a half later a third! At this point I still did not have enough points to pass assuming I had my extra credit points so focus turned on the last two systems. By 1:00pm I managed to get a shell on the fourth box but privilege escalation was evading me. From my lab experience I kept trying harder, trying different techniques and looking in more places.
Well this trend continued for the next couple of hours, it was quite aggravating. I kept switching which system I was trying to get into which definitely did not help, I should have focused on one system and not hopped back and fourth between them. Looking back this would have made a much better strategy and probably provided less frustration and aggravation. Around 8:00pm I really started to get worried and a bit depressed, not knowing what I was missing. I still only had shell on one of the two systems and absolutely nothing on the last one. I decided to take a bit of a breather and work on finalizing the 3 systems I had gotten into for the report. This was a much needed distraction as when I went back to the system that I had shell on I noticed something interesting. I attempted to exploit the vulnerability I had discovered and at first I thought it worked! Sadly it had not, but it did provide a valuable clue as to what would work. Fast forward another 15 minutes I shouted a “Woohoo!” when I saw the lovely “#” prompt on the system. Finally at 10:00pm I managed to root the 4th box which would provide me enough points to pass the exam with or without extra credit (assuming of course that I had documented everything properly and did not lose points). I was elated, I went to go tell my wife (who was of course trying to go to sleep) but I guess she had heard my shout from across the house as she already knew what had happened, heh oops.
I spent the next hour finalizing everything and making sure it had every required screenshot in the exact format required. At this point I felt very, very good but I wanted to get the last box. I kept beating on it and beating on it until around 3:00am, a mere 5 hours to go. At this point I realized that I really was quite fatigued and should get some rest. I decided to take a quick nap until 6:00am so I could recuperate, but of course I found falling asleep quite difficult.
I managed to wake and up started going at the last system once again, continuously finding what I thought was the vulnerability but continually being denied. Finally 7:45am rolled around and my VPN disconnected, I had successfully gotten 4 of 5 systems and gotten enough points to easily pass. Looking back, I should have just gone to sleep a bit earlier. Once the exam was finished I took a nice long 6 hour rest and when I woke up I realized what I probably had missed, but sadly there was no way for me to test it so I expect it shall remain a mystery to me. Quite frustrating, since every machine in both the lab and exam are exploitable, and exploitable without the use of Metasploit or similar frameworks. I know I did try harder, I guess I needed try smarter? Heh.
I finished polishing my report and sent it off to be graded at 4:00pm on Tuesday, the ordeal was over. Having finished PWK/OSCP I found myself happy and a bit sad. Happy that I had completed what I set out to do, own all the lab machines, generate an excellent report and pass my OSCP on the first attempt. I was also slightly sad, the experience as a whole had been a TON of fun, the roller coaster ride of the class was exceptional and I felt I wanted to do more, can you say OSCE in the future? =)
A few days later I received the excellent news, I am officially an Offensive Security Certified Professional!
Final Thoughts
The PWK course is extremely time intensive, make sure you have enough time dedicated to break as may lab machines as possible. I spent countless nights (Well not countless probably around 90) going to sleep exceptionally late so I could hack just a bit longer. Overall it was challenging but not impossible, and very, very fun. I am very thankful for my employer for supporting me in achieving the OSCP, as well as my wife who was extremely understanding for all the late nights I spent working on the exam and report.
I encourage anyone who is considering taking it to take up the challenge and attack this course. If you try harder you will succeed and attain the OSCP!