So I finally did it. After almost three years of studying on and off, a complete exam change, and a wedding, I finally passed the OSCP. The OSCP was a long-term goal for me. While I already had a job as a Penetration Tester, I wanted to pass the OSCP as it is regularly a "desired" skill for many job listings. There are some excellent concepts to learn while taking it, which will be useful during testing in the real world.
Preparation:
In March, I got the wonderful opportunity from work to purchase an Offensive Security Learn Unlimited subscription. I previously took the OSCP exam back in 2020 and came up just a bit shy. I got the buffer overflow (25 points), the 20-point machine, the user on the 25-point machine, and nothing else. So if you do the math, that is about 55 points when you need 70 to pass. I will admit that I'm pretty sure I noticed the privilege escalation at the 23-hour mark but simply ran out of time.
At that point, I was getting married in a few months and was still in my first year as a penetration tester, so I decided to take a break and casually study.
Fast Forward to the start of 2023.
Once I got my unlimited subscription, I buckled down and returned to studying. When you first get the course material, watch all the videos, then take notes when watching a second time. Remember this will be a hands-on exam, so the sections on the concept and theoretical stuff can be reviewed once. Make sure you know how the underlying technology works, but fill up your notes with something other than that content for the exam. You will quickly get notes overloaded and become disorganized. After you have watched the videos and taken notes, read through all the course text. This is because the text and the videos vary slightly and explain things differently. The exam can test you on anything in the course, so ensure you know everything and don't cut corners. Remember, there is a 2x speed feature in their video player.
Once you complete all the coursework, the OSCP has much better labs compared to previously. There are six groups of machines, with 3 of those groups being practice exams. To get the extra credit, do the 30 machines needed. Because I already had 30 machines from when I previously took the course, I only worked on the practice exam machines. I made sure I got 100% of all 3 of the practice exams completed before I scheduled my exam. After you solve all the machines, take detailed notes of step-by-step how you solved each box. Specifically, do this for the active directories. A command you can copy and paste is beneficial during the exam.
If you get stuck on the labs, check out the Offsec discord. The other students provide hints and can answer any questions you have. I have read a lot of OSCP reviews, all talking about don't look at hints. My view is if you don't know how to do it, look it up.
Outside of the course, I had my subscription to Proving Grounds. Everyone talks about the OSCP-like machines on HackTheBox,TryHackMe, and Proving Grounds. With how good the course labs are, I would focus more on those than the learning platforms. However, I did take all the OSCP-like machines and googled the walkthrough for them all. I studied the various privilege escalations and footholds. Keeping all these in your notes allow for a quick reference.
The /r/OSCP is also an amazing resource. People mention tools that can help you out a lot. I used Rustscan and NmapAutomator on the exam. Running both makes sure you got everything. Also, if you get stuck, AutoRecon can be a great tool. Once I got a foothold having winPEAS, linPEAS, and adPEAS can be very useful. These tools produce a lot of output, so look through the content slowly. Also, do it manually first and see if you can get any quick wins before you use the automated tools. Below are some other tools that I found helpful.
For Active Directory
adPEAS.ps1
chisel.exe
Invoke-Mimikatz.ps1
mimikatz.exe
EnableSeRestorePrivilege.ps1
PowerView.ps1
Rubeus.exe
For Priv Esc
JuicyPotato.exe
les.sh
jaws-enum.ps1
LinEnum.sh
nc.exe
PrivescCheck.ps1
PsExec64.exe
suid3num.py
winPEASany.exe
wget.exe
printerspoofer.exe
During the exam:
I wanted to do the exam on the weekend because failing it once already, I wanted to make sure no one knew I was taking it until I passed. So my time was at 2 pm on Saturday—the night before I cleaned my office for a good work environment. I laid out a notebook, pen, and wallet with my driver's license and cleaned off almost everything else from my desk.
At 1:45, I logged on and set up the proctoring software. They ask to look around the room, so be sure to have an easy way to unplug any of your external monitors or have an external webcam because it can be challenging with all the wires to spin your computer around.
After connecting to the VPN, I started. Obviously, I can't go into details about the machines, but I will give you some of the best advice. If a machine seems not to be acting correctly, feel free to ask for the machine to be looked at. Offsec has a whole team dedicated to verifying the machines are working. Something may need to be fixed with it, and because the exam is 24 hours, wasting a few hours on a machine can mess with your mental endurance. I can't recommend this enough.
Once you get a flag, STOP. Take screenshots and write all your commands to get to that point. Once you get to that point, move forward to the root. Once you get the root, STOP. Take screenshots and write all your commands to get to that point. You may be in a time crunch, or your brain maybe jello later, and you won't be able to get your notes.
Once you get your 70 points, take a deep breath. You don't need 100 points. You only need 70, so ensure you have everything you need for your report to get those 70 points. Only at that point should you move forward and try to get any extra points. Double and triple-check that you took those screenshots of the IP address, user, and flag.
Post Exam:
The exam was over, I went to sleep. I took most of the time during the exam. So I was up for quite a long time. I went to sleep for a while, went out with my wife to grab something to eat then came home to write the report. I had all the commands and screenshots in order, so it took little time. I uploaded it and waited. Officially they say it takes ten days to get the results, but thankfully it only took 3. The secret they don't tell you is if you click on exam when you're logged into the portal, it will tell you if you passed before you get an email.
I hope all of this helped. I think the new coursework is much better than before. You don't need to search the internet to learn every concept. Do the coursework, do the labs, and take notes. You can pass the exam with that. Good luck!
Kommentare