For the uninitiated, the Offensive Security Certified Professional (OSCP) is an ethical hacking certification that demonstrates a pentester’s ability to breach systems in a timed manner as well as document their findings in a professional and ethical manner. In the security world, the certification is the defacto entry-level certification known for its toughness coming from its “Try Harder…” attitude — now it’s mine.
My first attempt came about in December 2020 after dedicated studying for about 3 months. The test, a 24-hour timed hands-on exam, can be a soul-crushing experience filled with rabbit holes, buffer overflows, and more rabbit holes than you can shake a stick at. Needless to say, after 24 hours of work with only a 3 hour nap, I barely missed passing by one privilege escalation.
Luckily, the second attempt went much better. While the topic is still on my mind, I wanted to jot down strategies I had going into the second exam attempt broken down by:
- Pre-exam (Studying)
- During the Exam (Testing)
- Post-exam (Reporting)
While I did ~30 machines during my PWK coursework and lab access period, it wasn’t enough for me and I needed more so I jumped on TJ Null’s list for Hackthebox machines. A great set of machines, but I’d recommend three other resources to help supplement that are more OSCP-specific.
- Virtual Hacking Labs (VHL) — One month should do fine if you’re willing to spend the money. Some other users notice that there is a “VHL” way of doing some boxes, but this isn’t a totally bad thing when you need reinforcement of the basics. The experience using their network and boxes had also been very pleasant and reliable. VHL also has its own “course” with neat tricks to add to your repertoire.
- Offensive Security’s Proving Grounds — Go ahead and treat yourself to the $20/month practice package. While the platform isn’t as ironed out as Hackthebox, VHL, or Tryhackme, you can’t beat practicing machines built by the company that administers the test. For me, the experience of knowing how Offsec will “trick” me was a huge help.
- Udemy (Linux and Windows Privilege Escalation course by Tib3rius) — To help supplement your PWK material, Tib3rius has some fantastic courses on Udemy to help with post-exploitation. He goes into enough detail to explain privilege escalation concepts with hands-on examples that help you understand “what” to look for when you need to elevate privileges. For me, this helped fill in some of the gaps I had from my own studies prior.
All in all, I did all but a few VHL labs and a bit over 20 Proving Ground labs in the month between exam attempts. The additional real-life experience of those ~40–50 boxes helped tremendously.
I do want to add on a (somewhat) controversial topic when it comes to studying; I think walkthroughs are okay. There were plenty of times during my OSCP prep that I would have exhausted my knowledge, I needed a leg up. Hints and walkthroughs helped me understand gaps in my own methodology and as someone who worked on their own without a mentor, sometimes a little nudge goes a long way. If, however, you decide to use hints, make sure you’ve exhausted your options prior to looking and that you run the exploit/attack yourself after viewing the answer. Building muscle memory and good instincts is crucial.
During the Exam (Testing)
Shared VirtualBox Folders — I’m not sure how your virtualbox/vmware setup is configured, but messing around with networking is a nightmare and I don’t recommend it during the test. Instead, I used shared folders between my guest Kali VM and my host OS to eliminate the need for file transfers. This also helps with data integrity just in case something happens to your guest OS, your data is safe on the host.
Take pictures — My host OS is Linux (pop_os!) so I configured a special profile in Shutter for the OSCP. Save every single screenshot and exploit result — it doesn’t cost you anything but hard-drive space to save a picture.
Do the buffer overflow first — You heard me. If you’ve practiced basic BOFs, let Autorecon run for your other boxes while you work out the BOF. Saves a ton of time letting you focus on your BOF exploit, while Autorecon does the heavy enumeration for you in the background.
Terminator — Become familiar with screenshots and terminal logging in Terminator. If you don’t log every console output, I’d recommend at least logging your low-priv sessions so you can go back on your command history.
Report early — Whenever you perform a successful exploit, run it again taking screenshots of each step along the way. Not only will this reinforce that your exploit works as intended, but lets you retrace your steps from your notes that will come in handy when writing your report. If you can’t run the same exploit the same way twice, you can’t really rely on someone else to run it.
Breaks — take em. Even if you solve a “quick” or “easy” box. Take 5 minutes to walk around your place, call your mom, eat some hot pockets. Resetting yourself is important while you’re ingesting all the enumeration info from different targets.
The report can be nerve-wracking, but don’t worry. I recommend using Offsec’s template — it’s fine for what you need it for and available on their Exam Guide page. I used the OpenOffice template in Google Docs perfectly fine.
While I highly recommend you become familiar with the reporting requirements in the Exam Guide, here are my tips for writing a successful report:
- Make sure you can run your exploits and attacks reliably from the exam more than once.
- Pretend you’re writing this for your grandmother (sorry g-mom). Don’t assume your audience knows what they need to use a netcat listener for, but there isn’t a need for detail-overload.
- Commands and steps should be copy/paste right from your report
- At a minimum each compromised machine’s exploit step should have:
- A summary of the vulnerability
- The steps to reproduce the vulnerability
- Exploit code (with link to the original) if you modified it, otherwise, a URL to exploit-db.com is fine
- ipconfig + proof.txt/local.txt outputs
Some others seemed to worry about providing recommendations for mitigations, but I did no such thing. Keep it simple and effective.
If it helps, my report was about 40 pages for 3 machines with nmap outputs and exploits.
The OSCP is a monster of an exam and I commend anyone who has even studied for it. That said, at the end of this particular chapter in my pentesting journey, this is an entry-level exam that really focuses on enumeration and a proficient attacker’s mindset. All the tools in the world won’t help you if you can’t apply them to a curious mind. That’s the intensity and beauty of this learning path wrapped up in one. I’m excited for what the future holds now having cemented this milestone.
For those struggling through the OSCP prep, or really anything else, you can do it with the right mindset. Anyone can do it once they learn how to try harder..