There are a ton of OSCP guides and reviews. I decided to share my experience and review of Penetration Testing with Kali (PWK) course and the Offensive Security Certified Professional (OSCP) exam. I will try to express my mind and share my background experience, as well as I would love to share resources and exercises that I found helpful in my journey to become OSCP certified.
Whoami ?
- 8 years experience in penetration testing
- Active CTF player
- Actively solving Hackthebox and Vulnhub machines
About The OSCP
The OSCP is a highly respected certification in the infosec community and just one of several penetration-style certifications offered by Offensive Security but is probably the most popular one in Offensive Security.
Who Should Consider the OSCP?
Offensive Security states that the OSCP is designed for professionals already in the information security field that want to take a “meaningful step into the world of professional penetration testing.” They specifically list network administrators and security professionals as potential candidates, and they make it clear that this is considered a gateway certification into the world of penetration testing.
Pre-course recommendations
- A “Never give up” attitude because it will certainly test you for sure.
- Time to dedicate to learning and following random rabbit holes
- Basic knowledge of networking, Windows/*Nix, Kali, common tools of the trade
- You don’t have to be a programmer but learn some python ahead of time and be comfortable with making minor changes to existing code.
- Solve VulnHub machines.
Coursework
I highly recommend doing all of the exercises and any that you struggle with should be done multiple times and accompany outside research. The material is laid out well and in some cases the video has things that are not in the PDF’s so it’s good to do both but do not set your boundaries. The material will give you a solid foundation but it’s only going to get you started on what you’ll need to know to do the lab and exam machines. The real learning takes place on your own while you struggle to pop boxes and elevate privileges. You’ll be in all corners of the internet researching things and figuring out why a particular task isn’t being successful and that would be your real challenge.
The Lab
This definitely deserves a separate section because it’s the key to passing the OSCP exam and the most rewarding part of the course. The Lab comprises of systems mimicking a company network with known vulnerabilities and common misconfigurations over various network subnets. In order to successfully compromise a system, you have to gain administrator/root access on a system and capture the flag i.e “proof.txt”. Without practice it would be really very difficult for anyone to solve these labs so I recommend great practice.
The exam (Real Game)
The exam is a 24-hour practical exam followed by 24 hours to submit the report. During the first 24 hours, you’ll be expected to accumulate enough points (70) to pass out of 5 total machines of varying point values. You really need a solid methodology and time management skills to pass the exam. I’m not sure of the fail rate but I feel very comfortable in saying that it’s probably high. Just about everyone that I’ve personally talked to has not passed on their first try (including myself). You shouldn’t let any of that deter you as I promise you’ll learn something out of the experience.
How to Enumerate Properly for the Exam
When performing enumeration on the OSCP exam, remember to remain focused on the objective. 24 hours is more than enough time to pass the exam, so take your time and enumerate everything properly. If you think you’re tracking on something, keep at it… And don’t forget to use both Google and searchsploit to search for exploits. In my opinion, it’s always better to check if something exists, even without the version number. That way you can at least determine if what you’re searching for already has potential known vectors for exploitation. For example, if you encounter a website with a tag at the bottom that identifies its technology (ex: “XYZ CMS”), try looking it up to see if any exploits are already known. It will help alleviate some stress if you can determine your attack vectors as early as possible.
Exam Tips
Here are some tips to prepare for exam:
- Read PWK exam guide find out Do’s and Don’t during exam
- Do time management for your break time and sleep
- Plan your point collecting route before the exam begins
- Document as you go and backup your notes regularly to avoid data loss
- Get familiar knowing when you fall into rabbit holes
- Create a plan and stick to it, schedule breaks
- Have your cheat sheets ready and shells for various occasions
- Don’t get stuck on any one machine rotate, every few hours
- Write your report ahead of time so that you only need to add your exam notes in
- Stick to your methodology and enumerate EVERYTHING
- Start off with light port scans and work your way to more advanced ones
Misc Tips
- Whitelist your VM directory in your antivirus program on the host machine.
- Disable PHP on your Apache server, or else you may serve a shell to your own hacking VM.
- Manually logging into the OffSec VPN gets old fast. Set up autologin for the VPN connection.
- For best results, use VMWare and Student VM copy given by offsec (In Lab as well as In Exam)
- Use the Impacket SMB server for copying files from your Kali machine to a Windows target. This method almost always works out of the box on Windows targets. You can then do things like copy \\attacker-ip\sharename\nc.exe from the target machine. It’s much simpler and more likely to work than the FTP and PowerShell methods outlined in the course materials
Exam Report
The Exam report is mandatory to pass the OSCP exam even if you have compromised all machines during the exam. Upto 5 points may be earned by submitting your lab report. If the course exercises are included then you may earn an additional 5 points. In all you need 70 points to pass the OSCP exam. The lab report and course exercises could be incredibly helpful when you are short of points. I used a tool called Cherrytree during exam for creating a report.
Interesting facts:
I’m a caffeine addict – I probably had about more than 15 cups of coffee during the exam .
Final word
3 days later I received an email with my results, It was mentioned that I successfully passed the exam! It was amazing. OSCP is the best professional experience of my life till yet.
The material is presented to you and it’s up to you to figure out how to use it and learn from it which translates across many domains – not just pentesting or infosec. Failure is part of the learning process which contributes to the end result if you can stick it out. You just have to learn from that failure and keep trying, and of course Try Harder.. my advise is shape your skills, dedicate to it, and have fun during the process. Good luck on your OSCP journey!
Useful Resources in OSCP Journey
Wargames, different topics – 2
Wargames, binary exploitation, etc
Pre Exam For Future OSCP Students
Linux Privilege Escalation Lab (Room)
Windows Privilege Escalation Lab (Room)
Enumeration Topic
LinPEAS – Linux Privilege Escalation Awesome Script
Windows Privilege Escalation Awesome Scripts
Privilege Escalation:
Windows Privilege Escalation #1
Windows Privilege Escalation #2
Basic Linux Privilege Escalation
Window Privilege Escalation Guide
Helpful in shells
Enjoy 🙂