What is the OSCP
Offensive Security Certified Professional (OSCP) is an entry-level hands-on penetration testing certification. The OSCP is one of a few certifications by Offensive Security. It consists of the self-study Penetration Testing Training with Kali Linux (PwK) class and an online proctored practical exam.
The course costs at minimum $800 USD and includes 30 days of lab access and one OSCP exam attempt. There are packages that include longer lab access and you can extend your lab access if you find you need longer to prepare.
What ISN’T the OSCP
- Current methods and techniques
- It won’t make you a l33t hax0r, but you will learn fundamentals
How long did you study?
I started working on it on Sept 2018, then life and the holidays got in the way of dedicated study time. I kept slowly and intermittently practicing until April 2019 when I REALLY started to get serious about completing the OSCP. This started crunch time. I am lucky that my partner was on board with me locking my self away to focus on labbing. I took the exam on May 9th 2019.
How did you do to study?
I started by going through both the Offensive Security’s Penetration Testing with Kali Linux (PwK) workbook and then watching the associated videos. They are both fantastic resources providing a solid base of knowledge you need for the exam. I had the printed out the PwK workbook printed out and bound to save my eyes from staring at a screen. Through all my studies, I took a lot of notes. I used these notes when working on machines in the lab, exam, and other CTF style boxes I worked. Below are copies of the notes I created while studying.
- Buffer Overflows
- Password attacks
- Shell and Linux / UNIX
- Web Exploitation
Once I completed the workbook and videos, it was time to sit down and start to work on machines in the Lab. While working on the labs I began to branch out and gather and learn from various sources across the internet. As I worked through the lab and got closer to my date, I started to focus on my weak topics for me that were Windows Exploitation and Windows Privilege Escalation. I have added some of the main links and books I used to study, there are many more links in my notes.
- IppSec videos
- OSCP-like Vulnhub VMs
- Phrack – Smashing The Stack For Fun And Profit
- Basic Linux Privilege Escalation
- Pentestmonkey SQL Injection
- Windows Privilege Escalation Fundamentals
- Penetration Testing: A Hands-On Introduction to Hacking – Georgia Weidman
- The Hacker Playbook: Practical Guide To Penetration Testing – Peter Kim
- The Hacker Playbook 2: Practical Guide To Penetration Testing – Peter Kim
- Hacking: The Art of Exploitation – Jon Erickson
OMG the Exam…
The OSCP exam is a practical test that is 24 hours of hacking in a mock environment attempting to break into various targets. You will then have another 24 hours to write a report based on your findings from the exam. To obtain your OSCP you must submit a report I’ll talk more about the report later. The Exam is proctored, you will run software that will capture your screen and webcam, both of which will also be monitored by one or more proctors. There are limits to the tools you can during the Exam:
Spoofing (IP, ARP, DNS, NBNS, etc)
Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
Features in other tools that utilize either forbidden or restricted exam limitations
You are limited to use Metasploit once during the lab
These limitations are an example of why it is important to fully read through the exam guide and reporting template to make sure you have all the proofs and meet the reporting requirements. These guides are found at the following links:
Lab and Exam Reporting Info: https://support.offensive-security.com/pwk-reporting/
OSCP Exam Guide: https://support.offensive-security.com/oscp-exam-guide/
Proctoring FAQ: https://support.offensive-security.com/proctoring-faq/
My exam agenda
When planning for my Exam I created a high-level schedule to follow. This is an important and way for me to get organized. My exam started at 9:00 am allowing me to follow a similar routine to what I do normally.
- Wake up … Breakfast
- Connect to Proctor and follow preocess – 15 mins before start
- Receive access details and connect to VPN – 15 mins
- Read requirements and write down in notes – 30 – 45 mins
- Initial Enumeration of targets – 1 hour
- Hack Away!
- Eat Lunch
- Eat Dinner
- Probably still Hack…..
Exam Tips and Tactics
This is a list of various mostly non-technical tips I have for when taking the Exam. When reading through people’s challenges on Reddit, Twitter and Blog posts I saw a lot of people ran into less than technical issues when taking their Exams.
- I’ll repeat this here make sure you read through the exam guide and reporting template to make sure you have all the proofs and meet the reporting requirements!
- Attempt to limit distractions and find ways to go into flow
- Manage your Time Management wisely
- I used Pomodoro to help divide up my day. This method is ~25 minutes working, take a 5-minute break, repeat. I changed targets on each cycle if I was not making progress and was just grinding away on a machine. This method helped me getting stuck on one machine for extended periods of time.
- Keep a timeline of the day
- This will help you reference and screenshots or recordings you created later.
- You are your own worst enemy: Avoid going down a rabbit hole
- Breath…go for a walk…pet a cat…Have a snack…
- Enumerate Enumerate Enumerate
- If you are not finding your way into a system or the way to escalate privilege, enumerate more.
- Screenshot, Screen record, track everything! This will take the stress off of creating the report the next day.
There are two topics when it comes to reporting there is the Lab report and the Exam report. Offensive Security provides a guide for reporting at the following URL: https://support.offensive-security.com/pwk-reporting/. This contains some templates and some recommendations on how to manage data.
One of the first questions people ask is if I did the Lab report. I decided not to do the Lab report, it only worth 5 points, and I did not find that the time to create the report was worth it for me. However, I did write a mock report to practice ahead of the Exam. The made sure that my first Exam reporting experience was not during the Exam when I would be exhausted.
When it comes to my Exam report, I started my report after I had finished my Exam but has not closed out with my proctor and start to create a very very very rough document with the screenshots and other content. I did this to make sure I had satisfied all of the requirements and it would let me go back and recreate or regather any Proofs I may have missed. After I thought I had everything and the adrenalin had started to wear off I went to sleep and got started the next day and finished the document throughout the next day.
- The OSCP was a great experience and very challenging
- There is a lot to learn
- Make sure significant people in your life understand the time commitment
- ABL, Always Be Labbing
- Have fun, good luck, and #tryharder