My OSCP Experience - Tips and suggestions for those pursuing OSCP certification
I recently successfully passed the OSCP exam after 400+ days of preparing and studying. These are my thoughts on the experience and suggestions for those considering or actively pursuing OSCP.
Completing the OSCP certification was an arduous process. And I would not wish it to be any other way.
The work involved to build the skill required to pass OSCP can seem daunting, but it is more intimidating in thought than practice. I would have liked to complete this certificate a lot sooner, but I have a job, a family, and sold/purchased a new home in 2022. If I can do it on my hectic schedule, so can you!
This post isn’t intended to serve as a resource with very specific guides, links, documents, etc. (though there will be some of that). My goal with this post is to share what I’ve learned and hopefully provide some helpful context into the mindset and practices required to pass.
Study Plan Outline
My study plan was pretty simple - put in time every day (ideally 2+ hours) and root as many boxes as possible. I didn’t get to study every day, but I got 5-6 days a week in, nearly every week for a year.
If I could start over, I would have subscribed to the LearnOne plan for year long access to the OSCP labs. Sadly, I did not and this meant that my time with the OffSec labs was limited. With my initial run of access, I was only able to get 24 machines rooted. I ended up buying an additional 30 days after my first attempt so I could earn the bonus points for completing the interactive exercises and 30 boxes (more on bonus points below).
There is a direct correlation between number of machines rooted and likelihood of passing, so this should always be the focus for OSCP hopefuls.
For the time that I did not have OffSec lab access, I focused on completing machines off of the TJNull list. Most people will recommend focusing on machines from OffSec’s Proving Grounds (PG), which is most likely to be similar to OSCP machines, since they are created by the same group.
I did complete a large number of machines on PG, but if I am being honest, I much prefer HackTheBox (HTB) machines, particularly the ones on TJNull’s list. I made a copy of the Google Sheet and worked my way through as many as I could (about half by the time I passed the exam). Doing this group of machines was when I experienced the most growth in my skillset.
Below I hope to outline things I learned that really helped me pass. I’ll try to break them down.
Methodology
The most important thing to do is build a solid methodology. I have three templates that I work off of that contain commands to run in various steps.
All of my templates are written in markdown and stored in GitHub. This allows me to iterate on my templates as I learn more. Each time I start a new box, I create a new file box_name.md, copy the template, and start running commands and filling it out. It starts with a few basic nmap commands then leads to running automated tools like nmapAutomater.sh, gobuster, nikto, etc. Similarly, once I have gotten initial access, I have another template for privilege escalation, by OS.
My templates have changed completely from the beginning. The biggest leap I made in my methodology was being better at writing down possible ways to compromise a box. While I am doing enumeration, I try to think about what I can do with the information I find. If I find FTP and and a PHP/Apache web app, I am immediately thinking Let’s upload a php webshell and see if we can access it in webroot and run my code. So I write in my template a note about that possibility.
Then, after spending several minutes trying to exploit that possibility, if I don’t make immediate progress, I go back to looking for more possibilities. This is an important thing to keep in mind so you don’t get stuck in rabbit holes but also because it helps you build context.
I got advice from a kind redditor on this that was so good, I put it directly in my notes and forced myself to read it before starting my 2nd exam. I cannot find the original post, so sorry if this was you! I swear I looked!
Easy lab box: find all network services, start interrogating the configuration and content of each service, "Hey it looks like Service A is just blatantly served by some old shitty software that has a CVE", download an exploit PoC, read it and maybe modify it a little, exploit.
Average exam box: find all network services, start interrogating the configuration and content of each service, "Service A's configuration was slightly too permissive so I found a log file that disclosed the username/password of an account for Service B," log into Service B, Service B is a mail server and if you peruse some of the mail you discover some final piece of information about Service C that finally makes it obvious Service C is vulnerable, then you can at last download an exploit PoC, read it and maybe modify it a little, exploit.
For anything beyond the basic and generic methodology you build, use HackTricks to get service/port specific attacks. This was my most used resource.
Rabbit Holes
Based on my experience with OffSec, they really want you to be good at spotting rabbit holes. By this I mean, you find something that you’re certain is exploitable, but nothing seems to be working. Or you’re missing credentials and you’ve just got to find them. Or you need to do an AV bypass and then you can exploit! Or maybe…!
Getting trapped in a rabbit hole is bad for a number of reasons. You waste time, you might get frustrated or burnt out, and if you stay too long, you can’t see much else.
A lot of this just comes down to experience and keeping your expectations in check. Most of the time, OSCP does not contain any exploits that are very difficult to understand or successfully run.
Generally, if you can’t get it to work after an hour or so, you need to take a step back. During my exam, I forced myself to get up about once an hour. This forced me to stop hitting the keyboard and start considering what I was really trying to do.
Active Directory
I was lucky enough to have the the curveball of OffSec changing the exam structure mid way through my studies. Like many others, I immediately panicked about the addition of AD and the strong emphasis in scoring.
I’m here to tell you: It’s not that big a deal.
The exploits and techniques required to compromise AD are not complicated. I have worked in Identity and Access Management in the past, and my current employer made a change to Azure AD (AAD) during my time there, so I would say I have above average knowledge of AD, but I am nowhere near an expert. I rely on several members of my team to manage our AD instance, so I am also not very hands on with it. AAD is a different beast than on-premise, but the basics still apply.
AD (especially on-premise) gets complicated, quickly. But the AD sets I encountered while studying and on the exams were very basic, with only a handful of users and groups with limited services.
Here is my best advice to crush AD on the exam - get outrageously good at compromising Windows boxes, regardless of if there is an AD component to that box.
I took the exam twice, failing the first time and passing the second. Both of those AD sets were very straight forward. The difference between my two exams was three things primarily:
My understanding of Windows and typical ways to compromise it.
Learning how to effectively pivot with port forwarding and/or Chisel and proxychains.
My mindset regarding compromising AD.
The right mindset is crucial. It boils down to this - don’t overcomplicate it. Think about these:
What users are on the domain?
What groups are configured on the domain?
Who are the administrators (domain admins?)
What SPNs are configured on the host?
Kerberoasting - List out the SPNs on the domain and if there are any that are specifically calling to another host/port within the domain
Credentials in Memory - run mimikatz and see if any of the accounts you enumerated are on the machine. Try cracking the NTLM hash, or passing the hash through something like psexec.py or evil-winrm.
It’s very important to not get overly focused or concerned about tools for AD enumeration and compromise. Most people are very worried about learning Bloodhound and get stuck thinking that will solve all their AD problems.
Bloodhound sh*t the bed on me in both of my exams. In the first exam, I could not get the extracted data to load correctly. On my second exam, neo4j (a dependency of Bloodhound) kept crashing with very odd kernel errors. I would not be the least bit surprised if these were caused by mistakes I made, but it became a time sink in the first exam and once I had issues in the second, I immediately ditched it.
You can do all of the bullets in my mindset notes with just a few tools. Master these, and you’ll crush AD.
CrackMapExec - Perfect for all your SMB enumeration needs. Also good for ASREPRoasting, Kerberoasting, LSA credential dumps (if you have user and password/hash). It also is useful for RDP, FTP, MSSQL and WinRM. It really is a Swiss army knife.
Impacket python scripts - So many useful and reliable scripts for compromising Windows machines in many different ways. If I tried to list everything here, you’d stop reading this blog post ;) Learn it!
PowerView.ps1 - Excellent Powershell module for Post Compromise AD enumeration. This will give you great ways to cover all of the points about methodology above.
Chisel - I failed my first exam because I did not use this tool. It’s important to remember, the attack vector to pivot in AD may not be directly related to AD. You might just need to drop chisel on a compromised box, tunnel your traffic through it, and use nmap with proxychains. The compromised box becomes your proxy and you start the next AD target as if it were a new machine.
It’s important to have a good understanding of how AD works, but honestly the course material covers enough that you really don’t need much in the way of outside resources. In fact, I think going too deep on AD can really hurt you on the exam. Once you get past a very entry level understanding of AD, you could be wasting valuable study time and creating rabbit holes for yourself.
There are a total of 4 AD sets in the OSCP labs. Try to tackle all of them. From what I’ve gathered, the AD sets in the exam are extremely similar to the labs.
If for some reason you are limited on lab time, an alternative is HTB’s ProLab Dante. I did about half of the machines on here and it really helped me with learning pivoting. The boxes themselves were all very easy though and it quickly got stale. It’s definitely worth subscribing for 2-3 months if you don’t want to pay for OffSec lab access.
Privilege Escalation
Run WinPeas/LinPeas and get really good at reading it’s output. They include links to Hacktricks relevant articles and honestly this was my most faithful tool for PrivEsc. It’s not going to catch everything, but I would say at least 80% of the time this leads me down the right path. For the other 20% of the time, this is where having a “manual” methodology is important.
Stand-Alone Boxes
Between my two exams, 5 out of 6 standalone machines were Windows. All of them were quite difficult. And unlucky for me, I am much stronger with Linux than Windows. The one standalone Linux box I got, I rooted in about 90 minutes. Maybe this is because of my bias, but if this were a box on HTB, I would have rated it as easy.
So to reiterate what I said above, get really good at hacking Windows boxes. Learn both cmd.exe commands and PowerShell commands.
Again, rooting more boxes means higher chance you’ll pass. You have to find a really delicate balance for yourself between struggling on your own and asking for help. There are tons of opportunities to get hints and write-ups for most machines, especially if you’re working off of TJNull list. This is really tough, but in the beginning, you may need a lot of help. The goal is to use less and less as you root more machines. When you do get a hint or read a write-up, update your methodology with what you learned!
The last couple weeks before my exam, I would only take a hint if I was almost certain I was on the right path, but that it required doing something I’ve never seen before and wouldn’t be able to just Google or guess. While doing retired machines on HTB, my favorite thing to do was read just enough of a write up to confirm the smallest bit of information I needed to move forward. The moment I got even an inkling of what to do, I would close the tab.
Buffer Overflow
To be honest, this was the part I was most intimidated by for OSCP, and I think a lot of people feel that way. I had BOF on my first exam, but not my second. So, it’s important that you practice this. But all you need to do is read the chapters on BOF in the course material, and apply this template . There are also two excellent videos that really helped me:
So the buffer overflow comes down to following instructions. They also don’t require typical enumeration. Once you practice, these become an easy 10 points on the exam, 20 if you can escalate privileges. I actually had hoped I’d get one on the second.
Bonus Points
This topic is tricky for me. I earned the bonus points and they definitely helped me pass. Going into the exam with 10 points is a big confidence boost but also gives you three paths to passing -
Complete the AD set and root one standalone box, my personal path to pass (40 + 20)
Complete the AD set and two low privilege shells (40 + 10 + 10)
Root all three standalone boxes (20 + 20 + 20)
If you do not have bonus points, you will not pass without compromising AD, since the 40 points is all or nothing.
However, all that said, getting the bonus points was an absolute slog and I got really frustrated with a lot of the exercises. A large number of them were not applicable (in my opinion), many of them were incredibly unclear and required asking for help (and then scratching your head saying “How on Earth would I have ever known to do that?”), and some of them were just flat out broken. I actually got a two week extension on lab time because one module was so badly broken.
So this decision is very personal and dependent on your level of skill/comfort going into studying. Beyond the exercises, you also have to root 30 boxes. OffSec announced the new bonus points once I was already pretty far along, but I bought a lab extension thinking I could get the exercises and 6 machines in 30 days easily (since I had done 24 in my initial lab time). I just barely got it all done, so if you’re just starting, expect to spend 30 days on exercises and at least 30 more to get all the root flags you need.
Conclusion
I hope this is helpful to at least some. Getting OSCP was stressful at times, especially trying to balance studying with the rest of my life, but it was very rewarding. I had very limited experience with hacking prior to this and now I feel like I have a new love. I plan to continue hacking and most immediately I am going to be focusing on Bug Bounty! I hope to publish about things I learn during that experience as well!