My OSCP Adventure — Lessons, Tips, and Thoughts
Reflections on my journey tackling one of the most rigorous exams in cybersecurity.
Among the various certifications available to the infosec community, the Offensive Security Certified Professional (OSCP) stands out as a highly regarded entry-level credential for its demanding technical challenges and emphasis on real-world penetration testing.
Preparing for the OSCP is no easy task, and I wanted to share with the wider community some tips and lessons learnt.
enumeration - On Learning
The realm of technology is vast, it’s no wonder there is a lot of literature on “learning how to learn”. This is by far one of the most important lessons for an IT/infosec career. I've gathered some points on effective learning to feed into your subconscious.
Try Harder
A common reply to pleas for help, "Try Harder" isn't just about blunt knowledge. Rather, it's about being persistent, creative, and perceptive in the face of challenging circumstances, be it new frontiers, time limits and unknown variables.
Know the Fundamentals
A stable foundation lays the groundwork for a magnificent structure.
Running commands is fun and all, but what happens if something goes awry? A misbehaving command? Weird wonky error messages?
Not all machines are built like the textbook exercise. Often, there will be variations, ranging from the micro scale (name and IP) to the macro scale (attack paths, exploits). In these cases, it helps to understand the deeper elements at work, and save yourself from mindless flailing.
Although I entered cybersecurity with barely any networking knowledge, I found it valuable to understand concepts such as TCP/UDP, Public vs. Private IPs to better comprehend port scanning and port forwarding.
Know Your Tools
A sharp arsenal can yield returns in productivity.
Over the past few months, I grew intimate with commands like less
, reverse search (^r
), and other terminal shortcuts. The beauty of these commands is their portability; if I SSH into a Linux machine, I can immediately enjoy these shortcuts.1
For those interested in maximising productivity on the Linux terminal, I've collected most of my command arsenal into a Linux cheatsheet.
Engage More Through Active Learning
- Summarise portions of text.
- Take notes along the way.
- Ask yourself questions about the content, then answer them by googling or asking others.
- Practice with the exercises and labs.
- Share your knowledge with others, be it colleagues, friends, or in writing. Give yourself the opportunity to explain concepts. Not only do others get to learn, but you also get to learn through teaching.
Reshape Your Thinking with a Growth Mindset
Identify weaknesses and opportunities for improvement, rather than for comparison. Everyone's learning journey is different.
Instead of saying "Rubbish, how am I expected to know that technique?", ask yourself: "How can I improve my methodology to ensure I don't miss this during future enumerations?"
foothold - Tips and Tricks
Before Purchasing
1. Plan your 3 months.
If you plan on doing the course bundle with 90-days lab access, make sure you find a good three months with fewer obligations.
I made the mistake of starting in December, which unfortunately for me, was packed with events I couldn't exactly weasel out of. Oh, then there was Chinese New Year in February. :D
Maybe your December is less busy or it's just that my personality demanded social relief, but understand that you'll need to balance your time down the line and account for full-time work/study and events.
2. HTB Starting Point
To those with some technical background (programming, CTFs, etc.), I recommend trying out HTB Starting Point. Although these challenges are more CTF-esque (not so real-world/OSCP-like), they strengthen your networking and Linux fundamentals, while providing practice enumerating boxes with nmap and searching for exploits. The walkthroughs also tend to be well-written and explain concepts in detail.
3. Linux, Networking, Python, C
To those with less technical background, I suggest strengthening your fundamentals. In the OSCP, you'll be running Linux commands and occasionally modifying exploits.
Familiarise yourself with the common Linux commands. How do you go to a folder? Create/move/delete a file? Edit a file? With practice, these commands will become second nature, enabling you to navigate the Linux environment efficiently.
Rudimentary networking knowledge is also useful. HTB Academy has some free modules (Intro to Networking) which you can read in your spare time.
It would also be worthwhile to strengthen your programming fundamentals, especially in Python and C. Most exploits are written in Python, possibly the archaic Python 2. (You may also want to read up on differences between Python 2 and 3.) C is also common for low-level exploits.
Techniques
1. Enumerate all TCP ports... and SNMP.
Enumeration is the first step towards obtaining a foothold. Missing a port can lead to hours wasted following a rabbit hole.
Make sure you enumerate all TCP ports plus SNMP (UDP port 161/162). Don't be quick to dismiss SNMP. It's a good hiding spot for misconfigured credentials.
Often, a full port scan will take a while. Run a fast scan first, so that you can begin enumerating web services, FTP, SMB, etc.
Some better recon tools may cover this for you.
2. Save enumeration output.
Do yourself a favour by saving all nmap, dirbust, PEAS output to files. Output is easily lost in the command line, either due to new command output, VM issues, or happy little accidents (oops! you accidentally pressed ^D
and closed your terminal).
Examples:
- nmap (
-oN out.txt
) - feroxbuster (
-o out.txt
) - winPEAS (
winpeas.exe log
, outputs toout.txt
) - linPEAS (
linpeas.sh >out.txt
).
I usually exfiltrate my PEAS and mimikatz output, keeping a local copy in case I need to revert the machine. (Also I just like to use less
to browse large files.)
Tools
1. less is more
For browsing lengthy text such as scan output, help output, and logs, I like to use less
. Less is a built-in program with neat features, such as searching and filtering with regex. Some scenarios where I use it are:
- Reading
nmap
output and jumping to a specific host. - Scrolling through PEAs output.
- Running
less
,F
to get a scrolling view of a running command.
I've included less
commands in my Linux cheatsheet, so that you can be fearless on the command line. 🙂
2. Don't rely on automated exploitation tools.
Although Metasploit and SQLMap are great tools, avoid relying too much on them. Their usage is restricted during the exam (for good reasons). To prepare for the exam, refrain from using automated exploitation tools in the practice labs. Reach for Metasploit only if you really need it.
3. Kali vs. ParrotOS
If you're using a VM on a resource-constrained machine, consider using ParrotOS over Kali.
My laptop only had 8GB RAM with a poor GPU, and Kali was rather resource-intensive. Opening BurpSuite/Firefox quickly made a helicopter out of my hunk of metal.
ParrotOS consumes less resources, runs pretty fast on smaller machines, and has a helpful community. And although the PEN-200 course is designed for Kali Linux, it's not too hard to rewrite commands for ParrotOS.
This is not for the faint of heart. I would only recommend switching to ParrotOS if you're already familiar with Linux, you have the patience for environment setup, and you like birds.
Graphical Acceleration | Min. RAM (GB) | Min. Storage Available (GB) | |
---|---|---|---|
Kali | Required | 2 (8 for Burp/Firefox) | 202 |
ParrotOS | Not Required | 1 | 202 |
Doomsday (The Exam)
1. Preparing for the Exam
- Ensure you have two free days. 1 for the exam, 1 for the report.
- Prepare snacks/water and a space free from distractions.
- Breaks: you're allowed to take any amount of breaks (just message the proctor then go). Eat, exercise, poop, nap, whatever.
2. During the Exam
- Get a good rest before the exam.
- Screenshot all interesting commands and findings.
- These screenshots provide necessary evidence during report writing. You’re expected to walk through your exploit chain step-by-step. It's also a good habit for real-life pentesting.
- Do not forget to screenshot your local/proof.txt. (Refer to the exam guide.)
- You're allowed unlimited use of msfvenom + msfconsole for simple reverse shells. They’re useful for generating exe's fixed to a specific port.
- Don’t underestimate a good nap. Even a power nap (10-30 min) can help. You have plenty of time to work in your meals plus some naps.
- If you can, bag the 10 bonus points! They increase your chances of passing. Without bonus points, 3 out of 5 pass scenarios would be ruled out. (I was not willing to take that chance. And it was worth it.)
Resources
Useful tools and resources:
less
- built-in Linux tool for viewing text.- feroxbuster - dirbusting with nicer UX.
- HackTheBox Academy: Introduction to Networking - reading material to get up to speed on networking basics.
More resources you may enjoy, which I didn't use (so I don't have a well-formed opinion).
- autorecon - automated enumeration tool which combines port scanning, dirbusting, SMB, SNMP scanning, etc.
- TJ Null’s list - extra boxes in HackTheBox, TryHackMe, OffSec Proving Grounds, and more. The PEN-200 exercises + labs are sufficient preparation, but extra practice doesn't hurt.
pe - Personal Experience
A brief reflection of my OSCP journey.
Four years ago, I wouldn't imagine myself learning Windows in detail. Unix systems always seemed more developer-friendly, and I had no intention of leaving that ecosystem. One year ago, I wouldn't imagine myself being able to explain Active Directory concepts — it was that intimidating. But after practice, I can confidently say that I'm now in a better place. 🙃
A bit about me… I come from a programming/CTF background. By some luck, I secured a job offer working as a cybersec consultant—gruelling hours, rewarding learning experiences. It wasn't easy balancing study with work; flexible work conditions helped for sure, but other commitments began to creep into my schedule.
Despite that, I managed to complete 80% exercises and 4 labs (1, 2, 4, 5), nabbing the 10 bonus points before the exam. The labs were exceptionally helpful in strengthening my methodology and knowledge base, without which I probably wouldn't have passed.
Come exam time, I woke up with a refreshed mind and executed what I had rehearsed. Port scanning. Directory busting.
About an hour in, my VM suddenly froze. "Arghh! Not again!" This has been happening on-off for a while, and to this day I still don't have a fix. But I was mentally prepared; and after reenacting "Y U NO" guy for a few minutes, we were back in business. Don't you just love unexpected interruptions?
Finding footholds were tough. There were moments when I harboured fears of failure. But I persisted. Because I had to try harder. And because I didn’t want to deal with the corporate administrative bullshit for failing and registering a second attempt.3
Thankfully, privilege escalation wasn't too hard on my set of machines. After gaining a foothold, it took about 15 minutes (for each machine) to escalate and obtain root. Eventually, I made it out with 3 rooted individual machines plus a local admin on the external AD computer — 70 points including bonus.
All that's left was to type the report on Obsidian, export it to PDF, submit the report, and call it a day.
By the way, if you think the OSCP is hard, you should try the Hong Kong Driving Test. Most people fail on their first try.4
pwned - In Closing
Learning is a process; you don't learn by simply taking an exam. Rather, true learning comes from the preparation and the valuable lessons gained from your mistakes along the way.
Learning is not a linear path, but rather a dynamic and iterative process. It involves pushing your boundaries, exploring new ideas, and embracing challenges along the way. Exams are just milestones in the larger journey of learning. Stay curious, and keep learning!
Footnotes
Surprisingly, Windows PowerShell also uses
^r
for reverse search. Double win! ↩︎20GB is for a minimal install (e.g. no desktop). This is usually not enough. Considering common hacking tools, BloodHound, wordlists, personal notes, etc., we're looking at 50GB or more. I've set mine to 60GB. ↩︎ ↩︎
"Hi, I regret to inform you I did not pass my exam." "Noted with thanks. If you plan on a second attempt, please reapply through the appropriate 12-step procedure." Ugh, no thanks. ↩︎
Surprisingly, the OSCP and the Hong Kong Driving Test are on-par on so many levels. The passing rate is low. They don't precisely reflect real-world situations, due to being overcautious. There are multiple components (written + practical). ↩︎
Comments are back! Privacy-focused, without ads, bloatware, and trackers. Be one of the first to contribute to the discussion — I'd love to hear your thoughts.