To put it bluntly, it didn’t go very well.
There we’re a lot of reasons for that, which I will go into, but in the interest of making sure I’m not just making excuses I’ll start with the ones that I can take responsibility for.
Firstly, to be fair, I didn’t make the most of my lab time. That is, I went with 30 days of lab access, which was a little more than enough to get through the course materials, but with little time to work through the labs. And, since I ended up with a semester at an inconvenient time there was a large time frame between the labs and the exam, which meant that my week(ish) to prepare was mostly theory.
Maybe I didn’t “try hard” enough, as the Offensive Security motto goes. I mean, I did only put in 12 hours out of the 24. I knew how it was going and decided on a good night sleep. And I ran out of things to try. Or was I just not trying hard enough?
Maybe I underestimated it, maybe I didn’t put in enough study. I think those would all be fair reasons, which I take full responsibility for, and if I decide to take it again I’ll spend more time cracking away at practice machines. (I am still undecided whether I want to take it again, for a few reasons, none of them that I’m sad and giving up, but I’ll save that for another post.)
Now, for some middle-of-the-way-complaining. The whole thing was just a massive shit-show, and everything is always harder than it needs to be. Possibly not by design. But if it was, just why? Like I get challenge and problem solving and adapting and dealing with problems, but come on.
From go I kicked off some recon scans (thanks to nmapAutomator) so I’d have a solid report after I was done with the buffer overflow. Great. The actual buffer overflow though. How hard can it be, not really in the labs, I got through the course material on it fine. I was feeling confident.
Send in a unique string, bad characters, return address, shellcode, easy right. Nope. Got through all the steps, things we’re going fine, generating the shellcode was a bit tricky given the amount of bad characters but I got something out. Send it through. Exception. Why? Let’s find out, don’t you love a nice challenge? Ok, return address is fine, successfully jumped into the nops, going through the shellcode, great, seg fault. What? The shellcode is broken? How? It’s not even something I have much control over?
Ok, check the bad characters again, nope, all good. But I was starting to notice some random manglings in my buffer of A’s and C’s. Why? No idea to this day. Can’t be a bad character since its got the same characters around it. Why is it always the same hex value? It’s not even the same every time.
You know when you get annoyed at something that doesn’t work and you don’t know why, and you just start changing random things hoping the computer magic will be different and it’ll work? So, I started doing that. Changed the amount of nops, which changed what was going on for some reason? (Although maybe that’s just because it’s failing differently every time anyway?) Maybe it’s the alignment? Tried a whole bunch of different values, nothing.
It’s not like I can generate different shell code, or debug the shell code (and even if I could I shouldn’t have to, it’s not part of the course.) This is like the one thing that isn’t meant to go wrong. Can’t be network interference, I’m doing it locally. Can’t be bad characters since all the ones I’m sending are going through, and it’s not like the same thing is even happening when I run it. How? Why? Is it my fault? How do I fix it?
I decided to call it and move on. After like 4 hours.
(This is getting to be a long one, oh well.)
Didn’t get much better from there. Looked over my recon report, seems there’s a vulnerabilities to check. One of them is vulnerable. Great, finally a win of some sort. Ran the EDB exploit. It’s web shell does nothing, even though it’s definitely vulnerable, and the exploit should be working. Fine. Why not? This is a little more than swapping out shellcode, but I guess it’s in the scope of the course. Did some research, got some better webshell code and uploaded it. It works, yes. Uploaded net cat and got an actual shell. Started privilege escalation. Uploaded a script and did something else while it ran.
Got back the results and scheduled tasks looked like the best option? There was like a million of them though and I don’t have time for that. I’ll come back to it. When I came back to it I’d already had enough by that point and it wasn’t going to happen. I probably could have kept looking, and maybe got somewhere here, but even then.
Couldn’t even crack a shell on any of the other boxes. Did my recon (fairly exhaustively I’d like to think, but maybe I missed something?) and got to work. No vulnerability scripts raised anything, no version numbers had hits in EDB (when there were even version numbers), no web interface to inject. Played around with things, looked into things, sometimes something seemed promising, only to be nothing. (There is a little more to some of them than that, but this is long enough and it doesn’t matter too much.)
Maybe it was me? But I feel like for a course around put the version number into EDB and run the script it wasn’t quite that simple. Sure, maybe that’s not the course, but what else am I supposed to do? Look harder, I guess? I’ll save it for a future post, but I think we can do better as teachers than “look harder” (or whatever variant of that is going around).
This is more a sad, feelings-y post (as well as an “I’ll study harder next time”).
I liked the course materials (even if it doesn’t really prepare you well for the exam, or how to do any job, but that’s for another day). But I just found the exam, I want to say, disappointing?
I’m happy to take responsibility for the large part I have in that feeling, and lots of other people do well and/or like the exam. I am feeling frustrated, disappointed, defeated, and worried I’ll ever to be able to do my job well. I’m happy to say that I failed in many ways, and be accountable to my part in it.
But. Without making excuses. I’m still disappointed with the exam, what it’s point is, cyber security education in general (which I’ve written about a bit before), and how the education, assessment and actual work relate. I don’t feel like the course prepared me for the exam (even taking into consideration the independent study and research expected, and the lack of time I spent in the labs). I don’t think lost is something that I should be feeling while taking the exam (except maybe in small doses), or in the labs (which is part of the reason I didn’t make the most of the time that I did have in the labs).
I’ll give a quick example of privilege escalation. In the course materials, there’s a chapter on privilege escalation. Just one chapter. It’s seven pages. I’m not even kidding. That chapter says to look for local exploits (using what?) and run them, with an exercise on running an exploit. It also says to look for “misconfigurations” and has an example of replacing a binary with weak permissions (which you found how?) that is run as a service by SYSTEM (which you found out about how?). Then there’s a paragraph about looking for passwords in web app code. Thanks.
To be fair, there’s also some blogs that other blogs will recommend if you do some research. They’re ok, but not great, due to similar problems, and the good old “run this (but I won’t tell you what you’re actually looking for)” security education trope.
Sure, I could have done better. But I hope you can see my point?
The next disappointing thing, as with all certifications, I don’t feel like it actually prepared me for security work in any way. Sure, the OSCP is practical and hard (as opposed to a multiple choice test), and it is “entry level”. But like, what’s the point of most of what I actually learned? (Not trying to be bitchy, but I’ll give an example that might make it make more sense.) When will I ever need a buffer overflow? Sure, it’s the first step for exploit development and research, but there’s a lot more to it than that. And that’s assuming I want to go that way with my career?
Not trying to throw too much shade. I do think we can do a lot better when it comes to education though (which I’ll write some more about in a little while). But those are the reasons I don’t know whether I’ll bother attempting the exam again (unless I need to for some corporate reasons), but either way, it wouldn’t be until next year anyway (and I’d spend a bunch more time in the labs, and do some more studying).
My Portfolio 