January 21, 2021

OSCP Prep Advice



The OSCP is a coveted, well-known title bestowed upon individuals who endure a daunting 24-hour penetration test on a simulated network of five servers. The student is expected to compromise each server in the isolated network, then compile a professional report detailing replicable steps on obtaining access and threat remediation. Although I cannot speak more on the actual exam process, I am excited to offer advice on how a student in my position 6 months ago can better prepare themselves for this test.

Over the weekend, I spent 48 hours in test mode. Within 20 hours, I was able to root all five machines in the exam network and submitted my 60 page penetration test report the following day. On January 18th, I was officially declared an Offensive Security Certified Professional and could proudly share this title with prospective employers and fellow academics.





Contents:

  1. The Early Prep
  2. Next Steps
  3. The PWK
  4. After the PWK
  5. During the Exam
  6. Conclusion


 

The Early Prep

If you have already decided to take the exam but aren't sure where to begin your studies, this section will provide some clarity. Embarrassingly enough, my first experience with the Linux command line and CLI applications was with a PC video game called Hacknet, where your aim is to follow the instructions of a recently deceased hacker to bring down an evil corporate entity all from your terminal. It sounds cheesy, but it still taught basic Linux commands and enumeration techniques! Interesting stuff. More realistically, here are some resources for getting started from the very beginning:

  • Over The Wire: Learn basic Linux commands and how the terminal works from the ground up. Ideal for complete beginners.
  • Hacknet: For if you prefer the gamified version of learning pentesting methodologies and terminal basics.
  • Try Hack Me: An EXCELLENT resource for starting out. The Linux Fundamentals module is especially helpful if you're starting out.

Now, it should be mentioned that none of the above resources will hold your hand throughout the process; It will be the case for just about every red team training you come across. This is to ensure you develop the patience and harsh attention to detail required of an OSCP. Take your time going through at least two of the above resources and really understanding how things work. If you are copy and pasting commands from instructions online, it will only set you back later on.

 

Next Steps

Once you have a firm grasp on the Linux command line and have a foundational understanding of how command line interfaces work, it's time to hit the field. There are several online penetration testing lab resources available and we are experiencing a renaissance of self-taught red team outlets. After picking up the fundamentals, here is what helped me perform actual penetration tests on vulnerable machines:

  • Hack The Box (paid): Once buying an subscription, you have access to several beginner machines to practice with in addition to documented steps on how to compromise systems. In the beginning, it is recommended to try getting as deep as possible into a system, then falling back to guides when you hit a wall. Over time, this wall will get further and further, until you are eventually cracking boxes completely on your own.
  • Try Hack Me (paid): This one is a bit more beginner friendly compared to Hack The Box since there is a bit more of a hand-holding element to hacking into things. This is an extremely helpful way to learn, but practice with these challenges and come back to HTB as you gain more experience.
  • Vulnhub (free): If you are needing any excuse to finally set up a home lab, this is the motivation you need. By setting up your home lab, you can download hundreds of FREE vulnerable operating systems and hosting them on your own network.

 

The PWK

At this point, you feel a bit more confident about your ability to compromise remote servers and feel up to the challenge of the PWK. The PWK itself is an immensely long textbook complimented by a simulated corporate network. The objective is to exploit as many machines as possible within your lab time and provides an excellent resource for building your knowledge of exploits and further developing your hacker methodologies. Personally, I read about half of the course textbook and exploited two machines each day due to time constraints. I also recommend scheduling an exam date ASAP due to an overwhelming demand for certain time frames.

 

After the PWK

Your PWK lab time has run out and you have a bit of time to kill before your exam. In my situation, I had two weeks of time to fill in the gaps before my exam and here is how I spent it:

  • TJ Null's OSCP Hack The Box list is a list of vulnerable machines available on Hack The Box that are similar in nature to that of the OSCP exam. Exploit every machine on this list and take notes on how you generally reach your goal.
  • Take a practice test using a set of five random vulnerable machines. If the full 24 hours doesn't work out, maybe try knocking out two within a target time of five hours.
  • Be able to do a stack based buffer overflow with your eyes closed and upside down. Although I am exaggerating, this is the only part of the test that you can practice step by step before hand. This Try Hack Me room makes BOFs trivial to write in Python. Then practice on Brainpan and Brainstorm

 

During the Exam

Here are a few tips to get you through the test when exam day comes around!

  • 24 hours is a ton of time. Just like your studies, continue to be patient and pay careful attention to each tiny detail you come across. Nothing can be missed.
  • Take breaks often. During my exam, I took a break each time I would reach a new phase in the pentesting process (foothold, privesc, finishing a machine). You need a clear mind every moment of this exam, and neglecting to step away for a bit can wear you down quickly.
  • Document everything. There is no worse feeling than exiting the proctor session and forgetting to screenshot a proof or a critical step. In total, I took around 200 screenshots and organized it on my host machine using Obsidian.
  • Have backup plans. In the event that something goes horribly wrong to your host or guest system during the exam, be prepared to move over to a secondary computer or a backup Kali image. In addition to having a backup system, backup your notes after each machine as well.
  • It is hard to think when you're hungry or thirsty. Try and have your usual meals throughout the day to prevent that temper from becoming too hot.

 

Conclusion

And that is all I have to offer in terms of advice! In short, begin with Hacknet, Try Hack Me, and Over The Wire. Make progress in Try Hack Me's Offensive Pentesting pathway, do TJ Null's Lists, and never stop trying harder.