OSCP All you need to know
Back again with the “All you need to know series”, but this time for a good reason, which is the review of the OSCP certification, that I have recently passed.
This post won’t explain how OSCP certification works, if you are reading this, you already know, instead, I will be giving my personal experience and resources I used during my training, which lead me to obtain this certification in my first attempt.
Offsec Academy
Once you buy the OSCP boucher, you will get access to the PEN-200 offsec course, which covers all the technical knowledge required to pass the exam.
This course is designed for people starting in cybersecurity, so each topic is explained in detail with lot’s of resources available to use in case you need more context of a certain technique.
After having done the courses of several certifications, I can say that the PEN-200 material is the most easy one to follow, everything is properly structured and each topic is followed by practical labs, in order to reinforce and put in practice what you have seen in the theoretical part.
In my case, I read and completed all the course materials, may not be crucial to pass the exam, but I highly recommend it, if not, you may find something during your certification process that you are not familiar with, which may lead you to fail the exam.
Is crucial to take notes of every content and exercise you see/solve during the course, having good cheat sheets and notes, will lead you to succeed. I would not have passed the exam without good notes, I’m 100% sure of that.
For this task, I used Notion, but there are several tools out there which may fit better to you, like GitBook or Obsidian.
Once I have done all the course, I started with the CHALLENGE LABS.
The “CHALLENGE LABS” consist of 6 practical environments, which are meant to put in practice and reinforce the knowledge you should have acquired during the course, but this time in a more realistic environment, these challenges are focused on the following topics:
- 1 - Medtech (Active Directory and Pivoting) big network.
- 2 - Relia (Active Directory and Pivoting) big network.
- 3 - Skylark (Active Directory and Pivoting) big complex network.
- 4 - OSCP(A/B/C) Each one simulates a real OSCP exam.
Skylark is the hardest lab, the following text is extracted from the Offsec PEN-200 course:
Please note that Challenge 3 is significantly more difficult than Challenges 1 & 2. It requires a substantial amount of pivoting, tunneling, looking for information on multiple targets and paying close attention to post-exploitation. It is beyond the scope of the OSCP exam. If preparing for the exam is your main objective, you may wish to work through Challenges 4, 5 & 6 before returning Challenge 3.
I skipped Skylark and completed Medtech, Relia and OSCP A/B/C, being OSCP A/B/C the important ones, as they are the most similar to the exam.
During the OSCP certification process, is very important to manage your time correctly, so as a tip, I recommend you to do one of the OSCP (A/B/C) labs as if you were doing the exam, set up a 24h countdown and try to complete all the machines in time, by doing this exercise, you will learn how to manage your time when facing the real certification proctored exam.
Proving Grounds Practice
Once I completed all the course and challenge labs, I wanted to practice more, so started to make Proving Grounds Practice machines in order to keep improving my methodology. Is known that you may get similar CTFs during your certification exam, so PG is a good way to keep practicing once you completed the course.
The following table represents the machines I’d done In PG Practice, you can do the same ones, as they are similar to the ones you will encounter in the exam:
If you don’t want to pay for PG Practice, you can also follow the TJNull HTB OSCP preparation list which can be found here Link. I also did some Windows machines from there, which were the ones I was less confident with.
Facing The Exam
Once I completed everything, was time to take the exam. In my case, I had scheduled the exam at 21pm because I had to work in the morning. I recommend that you schedule the exam around your usual timetable, but in my case this was not possible.
With a lot of pressure on me, I started with the AD set, this was my strategy, get the AD set as fast as possible and then go to the Standalone machines. But got stuck 2 times for a long time, 3/4h each, which lead me to finish the AD set around 8am. Achieving access to the DC was a great source of motivation, which lead me to try getting one of the Standalones machines before going to sleep. I recommend you to scan all three targets and try to go for the one you find easiest. That’s what I did, and after 2/3 hours, I managed to root the first Standalone, consequently passing the exam with 70 points.
This was the moment I decided to go to sleep, with the awesome feeling that I had already passed the exam, and still having more than 10h left.
Wasn’t able to sleep too much (3h), when I woke up and continued with the second box, where I got user access after 1 hour, granting me 80 points.
I was pretty tired, so decided to stop trying to get more points, and started to write my report. For the report, I used the Offsec Template and Google Docs, followed the same format as the template, and explained in detail every step I made during my exam to achieve the Flags, including links to every tool I used during the Enumeration/Exploitation and Post-Exploitation phases.
At the end of the next day, I submitted my report, and after waiting 1 day for the report to be corrected, I got the email from Offsec.
Useful Resources
I have summarized some of the resources that you may find useful during your certification journey:
- All the binaries I used during the exam, can be found here. Link
- Msfvenom Payloads list. Link1 Link2
- Windows Privesc. Link1 Link2 Link3
- WADComs, is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments. Link.
This last one is pretty useful when you don’t know what else to try.
The Exam was that hard?
Has been almost a month since I got my OSCP, and I have been thinking a lot about this certification. If I have to be honest, I think that the OSCP, is not meant to be technically hard, that doesn’t mean you don’t need to know how to exploit the different targets involved in the exam. But I think the main point of this certification is about mindset. The exam proves totally your “Try Harder” capabilities, they are 23:45h of constant mental struggle, between nerves, tension and fatigue, only if you are capable of managing that situation, you will be able to pass.
If you have done everything I mentioned on this post, you know everything needed to pass, you only need to manage your mental during the proctored exam and apply the “Try Harder” methodology in order to succeed.
Hope this post helps you to become certified soon and Merry Christmas!.
Slayer 12/23/2023