Sign in Subscribe

The only OSCP guide you need

Last updated on 
The only OSCP guide you need
Photo by Clark Tibbs / Unsplash

Introduction

The OffSec Certified Professional certification is one of the most recognized penetration testing certifications, well known not only because it is very often required for job applications and being relevant in the industry, but also for the level of difficulty required to get certified.
OffSec certifications are quite expensive (Cheapest pack starting from $1000+ USD) and if you buy the cheapest pack, you'll have very limited amount of time to study the material.

Here’s the exact approach I followed to go from failing my first OSCP attempt with 40 points to passing with a perfect 100. This guide will help you all the way from studying the material to put skills into practice and take the exam.

Guide

Course options and why PEN-200 matters

The first thing that you must do of course is getting the knowledge required to get to the level of the exam. The course that I think is the best option to get this knowledge is the PEN-200 course, as it is the official course created by OffSec for the exam, and it follows the approach of getting some theory first on a specific subject and then put that theory into practice; however, there are a lot of courses out there that you can take to get that knowledge for the exam. Some of the courses that I have heard people take aside from the PEN-200 course are:

  • Practical Ethical Hacking course by TCM Security
  • Windows and Linux Privilege Escalation courses by TCM Security
  • Active Directory rooms from TryHackMe
  • Hack The Box academy (There are courses for Active Directory and penetrating testing in general)

The only problem that I found on trying to create your own path to get the knowledge is that you won't have the structure built out for you to get from the basics to the more advanced topics. You'll have to do some research to create that path and you may be struggling to make connections when moving from one course to another. By doing the PEN-200 course, everything will be well structured and you won't lose time creating your path.
I won't give you tips on how to choose other courses as this wasn't the approach that I followed; I want to highlight however, that before starting the PEN-200 course I did the PEH, Windows and Linux Privesc course by TCM Security, and the Offensive Pentesting path on TryHackMe which includes de Active Directory rooms. This courses really helped me to strengthen skills and made it easier to digest the PEN-200 course.

Role of practice labs

OffSec courses are based on practice/hands-on training, and although you'll see a lot of theory, I my opinion, what makes OffSec courses stand out are how the training is structured.

When going through the course, at first you'll see the theory behind an attack with examples, after you finish the theory, you'll do a lab that allows you to put in practice the theory you just learned. You will then repeat this theory-followed-by-practice many times in a single module. When you finish a module, you will have again some labs that are vulnerable to the attacks that you just practice/learned with slight variations that makes you try a little harder to complete them. You will also have access to the challenge labs which are a set of machines interconnected that allows you to put into practice all the content that you learned through the entire course.

In my opinion, there will never be a moment when preparing for the OSCP exam where you will not benefit from doing these labs. Yes, other training platforms such as HackTheBox are great, however, this labs are made by OffSec and are structured in a way that prepares you for OSCP exam, so I'll rank the labs from the course as the best way to prepare specially if you are a complete beginner.

For the challenge labs, I recommend not doing these right after finishing the course, but rather, leaving them as the last practice before the exam. First you will use other boxes for practice and creating your methodology, which is explained in the following sections.

OSCP-like boxes lists

If you finish the entire course and labs, and you want to practice more — and I recommend practicing more if you want to ace the exam. There are lists such as LainKusanagi and TJNull that contains machines that allows you to practice technical skills that are similar to those used in the exam.
I recommend doing these machines not only to put in practice all what you have learned so far, but mainly to create your own methodology that allows you to attack a box from start to finish — Which will be the key on the exam.

The lists have machines from different training platforms which are great, such as HackTheBox, Proving Grounds, VulnLab, and more; however if I have to select one, I'll choose PG. Why? Proving Grounds machines are made by OffSec and the OSCP exam is also made by OffSec, by doing these machines, you'll learn how OffSec creates the machines and also how it challenges you to compromise a machine.

Building your methodology

When I talk about creating your methodology, I say that you have defined your steps to compromise a machine all the way from enumeration to post-exploitation. This methodology must include what scans you run, which ports are you going to look at first after your first scan, how much time are you going to spend enumerating each port, when you take breaks, the tools you use, how you take notes, etc.

This is the real key to pass the exam. Yes, of course you also need all the knowledge taught in the course, and there are tons of options where you can learn this from, but that's only half of the game. OffSec certifications are also aimed to teach you how to manage your time and energy, how to organize yourself and how to think clearly and outside the box even when you are tired. If you have well-defined all your steps to compromise a machine before getting to the exam, you will already know how to handle these constrains easily.

For example, at a very high level, my methodology looks like the following:

Enumeration

Get open ports and service information
I'll enumerate the open ports and get information about each open port.
The first command I'll run to get the open ports is:

sudo nmap -T5 -p- <ip>

After getting what ports are open, I'll get information about them with the following command

sudo nmap -A -p <open-ports> <ip>

This saves me time by running a 'All' scan to only ports that are open.

Getting access

After knowing the ports that are open and some information about the services running, I'll try to found exploits for those services to get an initial access.
If none of the services running have a vulnerability that gets me an initial access, I'll enumerate ports that may have information, such as: 21,139,389,445. Which may contain information required for the initial access.

Privilege Escalation

After getting an initial access, the first thing I'll do is try to get quick wins to escalate privileges.
On linux I'll try the following:

  • Enumerate which commands I can run as sudo to elevate privileges
  • Enumerate binaries with SUID enabled and check them on GTFOBins
  • Enumerate capabilities
  • Check the /etc/crontab file for tasks run
    On windows I'll try:
  • enumerate privileges with the whoami /priv command
  • Check if any services have unquoted paths
  • Check registry keys that may have passwords
  • Check installed services for known vulnerabilities
    If none of the quick wins work, I'll start to enumerate all the system to look for a privilege escalation vector.
    If, after some time enumerating couldn't find something valuable, I'll run LinPEAS or WinPEAS.

So, after you ended the course (or courses), and now you are moving to practice with boxes or the challenge labs, before starting define this methodology — It doesn't have to be perfect, you'll improve it with practice. And follow it as you do these boxes and challenge labs.

Improving your methodology

The first time you define your methodology, it won't be perfect. When you finish a machine, think back and see what things you did well and wrong. This will help you to evaluate what you need to work on. Maybe there was a service that was vulnerable but you didn't get the service version, which might highlight that you need to improve you service enumeration. Maybe there was a path on a web page that exposes another vulnerable web application, which highlights that you may need to improve your directory fuzzing. Maybe there was an Active Directory policy that you didn't enumerate and know about, but led to Domain Controller compromise. Or maybe you went down a rabbit hole that made you lose a lot of hours, which tells that you need to work on your time management.

Now, from here it is just try, adjust, and try again.

You'll see that after doing a decent amount of boxes, rooting a box feels so much more easy, how handling things that you have never seen before becomes second nature, and how you can root almost any box without the need to take a hint. Your skills to read, research, and put in practice will drastically improve — Which is the try harder mindset. Now you are more than ready to take the OSCP exam.

Simulating the Exam

I would suggest to leave the OSCP-Type labs from the challenge labs at the end of all your practice, and for each lab give you 24 hours (Maybe on weekends) to root all you can, I would also recommend starting these 24 hours at the same hour your exam begins. For instance, if you scheduled your exam to start at 8:00 am, start the challenge labs around 8:00 am the days you selected. The point here is to simulate the OSCP exam as closely as you can, and make your mind get used to these intense periods of 24 hours.

Taking the exam

By now, there is no need for luck — you've built skill, strategy, and endurance. You already know everything from all the boxes and labs that you have done, you know how to handle time constraints, you know how to exploit a service you have never heard of before, or what to do when a tool is not working. Doing the exam is just like rooting some boxes from a training platform.