My OSCP Experience
After
- 1 month Hack The Box
- 2 months PWK Labs
- 2 months Proving Grounds Practice
- 130+ boxes in total, 57+ without hints
- 7 months of Trying Harder
I have obtained my OSCP! Here's how I did it.
Background
I have been thinking about doing OSCP since the start of 2021, when I read about it online. It was this mysterious "Entry Level" Cyber Security Certificate that could help you get interviews and more. I've read many reviews, online posts and more, and it seemed useful and a goal I would like to reach while I was in National Service (Singapore Army Conscription).
As a warmup, I started doing eJPT in July 2021, and passed it by September. I liked the experience, so I decided to bite the bullet and sign up for the OSCP exam
I have the following background
- 19 year old JC Graduate, Currently serving in the Army, Incoming Electrical Engineering undergraduate
- Studied Computing for A Levels - Learnt Python and basic TCP/IP Networking
- Did various TryHackMe Boxes
- Participated in various CTFs
- Linux experience (through Raspberry Pi Tinkering)
My aim is to improve my cybersecurity skills in a verifiable manner. As such, besides just getting the cerificate, I also aim to learn as much as possible.
Preparation
Resources Used
In order of resource used
Platform | Paid Length | Hint | Hintless |
---|---|---|---|
TryHackMe | Free | Various | |
Hack The Box | 1 month | 37 | 5 |
PWK Labs | 2 months | 48 | 24 |
Proving Grounds Practice | 3 months | 17 | 28 |
Vulnhub & PG Play | Free | 6 | 3 |
PortSwigger Exercises | Free | Various |
I followed TJNull's list here
Various Important Courses
- TryHackMe
- PortSwigger SQL injection and Command Injection labs
Other platforms (like TryHackMe) are good for practicing and building a basic idea of what pentesting is. However, I would recommend Hack The Box, due to the difficulty of the machines (and the similarity to the labs, trust me, you'll see machines which are the same), as well as Proving Grounds Practice (machines & methodology are very similar to the exam)
I've already covered what to do during OSCP labs in a few of my previous posts but in short
- 1st month I did the Lab Report + Machines without hints
- As my goal was to learn, not just to be certified, I did the lab report. I learnt quite a bit from doing the later course exercises.
- 2nd month I hacked more machines, last 3 weeks started reading forums
Strategy
I read many guides, some interesting ones are below
Unlike many of those guides, I actually didn't watch a lot of hacking videos (reading writeups is more of my thing, once I tried hacking the boxes), or study Network+ and other technical certifications. I focused more on hacking boxes and hands on experience.
Before I actively started preparing for it, I just do the occasional TryHackMe box for fun. I did not spend a lot of time beforehand studying.
Once I set my mind to getting an OSCP, I spent 1 month doing Hack The Box (October) after signing up for the course (and waiting for access to the materials), before moving on to the PWK Labs (November - December). I then registered for my exam in (March), and practiced Proving Grounds Practice in the 3 months to my exam.
In total I spent $1199 (PWK 60 labs before price hike) + $14 (HTB) + $19*3 (PG) = USD 1270 on the course.
Along the way, I used Obsidian to take notes on the machines and useful techniques, and backed up my notes regularly.
I'll probably never feel confident enough to jump into the exam no matter how many boxes I have hacked. So my mindset was that "I learned so much in this process anyway. It’s just an exam. It's worth to retake even if I fail", and dived into the exam
Methodology
This is something that is tricky to build up. There is no easy way or "cheat sheet" out of this besides hacking more boxes.
Some may argue that you should never use hints. Many others have argued that you should use hints after trying your best on a machine, or after a specific amount of time.
My stance is to not use writeups or hints until close to the end of the subscription/ near the exam/ after a very long while. I think this helps to build perseverence. You are really forced to try harder, try everything, and this mental state is good for OSCP or any stressful situation.
That said, on analysing the machines I hacked, machines that I spent more than 10 days (or about 6 hours at the screen) usually required me to use a writeup to solve.
I ended up using autorecon and getting comfortable with it. It may have a lot of command output, but I understand what it is doing most of the time, and I can fall back on manual enumeration if I cannot get sufficient information.
Here are a few technical tips I learnt throughout my experience
- Banner information may not be correct. Enumerate the version number of services
- FTP anonymous login doesn't mean you cannot login as other users to get different directories. FTP servers can also start at different working directories (
/ftp
instead of/
on login) - Reverse shell ports that work (bypass firewall) are likely to be application services ports
- Pivoting is useful even for standalone boxes, you can access hidden network services for privilege escalation
Exam Experience
The VPN connection is also very similar to Proving Grounds,
You notice that in my writeup I talk very little about Active Directory. The main reason for that is during my exam I actually could not do the AD chain. That's right, I passed purely on 3 standalone machines + lab report.
Here are some tips for the exam from me
- Breaks
- I took naps, meals, toilet breaks and more.
- Dont be afraid of leaving your screen for 1h or more.
- Use the time to get some good rest and go back recharged
- Backup
- Before my exam, I had to reboot my system and change host OS from Arch Linux to Windows due to an issue with screen sharing. Have backup plans in case things don't work
- My Kali VM crashed. It couldn't boot up. Luckily I restored a backup from 3 months ago that worked.
- I take notes while I'm doing the exam to be used in the report. Backup your findings as they are important to be used in your report
- Enumerate
- You can still learn new things on the day of the exam!
- Try enumerating the port in different ways. Research the information in different ways, eg. look at the version number, look at the source code and the related frameworks.
- Be Confident!
- Don't worry if you take a long time. I took about 8 hours to even get local of my own box. My exam experience is that once I found something interesting, the machine can be comprimised in 3 hours or so.
- Don't be afraid to use Metasploit/Meterpreter. I ended up using Meterpreter once in my exam, which helped speed up my privilege escalation process significantly.
Report Writing
This was scary for me. I did not want my effort during the 24 hours to all go to waste, especially if the results depend on a Lab Report.
Fortunately, Offensive Security included templates on how to write the templates. They also have some useful resources
- https://help.offensive-security.com/hc/en-us/articles/360046787731-PEN-200-Reporting-Requirements
- https://help.offensive-security.com/hc/en-us/articles/4412170923924-OSCP-Exam-FAQ
During the exam, I made sure to take note of all command line steps and outputs. I also took regular screenshots, as well as the proof screenshot (with the contents of the proof, networking, and proof that the proof file was read from its original location)
For my reports, I included all necessary commands and related output. I did this for my lab report too as this helped train me to write my exam report. My exam report ended up as 65 pages, while my lab report ended up as 600 pages or so.
Some tips for writing the report
- Although the template report used screenshots for command line output, you can also just copy and paste the command output as text into the report. I did this as it makes it easier for the reader to "copy and paste"
- I wrote my reports in Markdown using the format here.
- I researched more about pandoc and decided to convert my Markdown documents to docx first, edit them in LibreOffice (Page Breaks, better Table of Contents), and export them to PDF for submission
- Test your report conversion before the exam. This helped me figure out issues with my report conversion before the exam (issues with special characters in my terminal), and switch to a system that works.
- Another good report format can be found here, this one provides resources
- I used an OSCP Exercise Checklist here to keep track of course exercises done. Keep in mind that your course materials may have different numbering, which happened to me.
- I included the autorecon nmap scans in my report.
Afterthoughts
24 hours or so after I submitted the report, I got the good news email! As a reward for passing on my first try, I was one of the last few to be able to receive a physical certification!
Even though Offsec switch the labs right in the middle of my lab time (Adding Active Directory), I was able to finish up my lab report (which saved my exam attempt), study more on Active Directory, and pass the exam.
The most important thing I learnt is to have a methodology, and the mental resilience to Try Harder. This means to keep trying, try in different ways.
For now I'll take a break. My next step would probably be Burp Suite Certified, as I have an exam voucher. In the future I may consider other higher level penetration testing certificates.
That's it from me, hope my experience can help anyone with their OSCP journey!