I recently completed my Offensive Security Certified Professional Certification and obtained my OSCP.
I took the exam the 18th of May 2021.
Before starting my OSCP journey, I already completed my eWPT and eCPPT. I was also fortunate enough to work as a pentester for about a year prior to starting with the PWK labs. However, despite both the certificates and the work experience being beneficial, I do believe that anyone with a serious determination can complete the OSCP without either of them.
I did not really prepare much prior to starting with PWK because I had just finished my eCPPT. If you don’t have much prior experience I would recommend TryHackMe. They have an OSCP path which is very much suitable for beginners. If you have some prior experience but don’t feel comfortable exploiting machines without looking up solutions, I recommend starting with the easiest HackTheBox machines and to work your way up.
Part of the PWK Labs are the exercises with which you can score 5 (bonus) points for completion (this includes rooting 10 lab machines with proper walkthroughs). From fellow OSCP students, I heard that this requires a serious amount of work and you can expect to spend four/six full weeks to complete all the requirements. Since this is a significant amount of time, and because not all exercises are necessary for the OSCP per se, I decided not to do them and spent my time on the actual lab machines to get as much relevant experience as possible.
The actual lab machines were okay, I am not so enthusiastic about PWK’s lab machines mainly due to the environment. You share the machines with fellow students and while working on the machines you more often than not realise that someone else is working on them simultaneously. This is obviously rather annoying since this may disclose hints and it prevents you from effective studying. In addition to this, the PWK lab machines simulate a real network environment which includes pivoting. I am conflicted about this since I had quite a few times that I did not realise a machine had a dependency. Because I didn’t want to look at the forum prior to starting with a machine (to prevent seeing hints), I often spent quite some time just to find out that it had a dependency. This quite obviously is rather annoying. Finally, some machines are very very outdated.
In the end, I rooted a bit over 30 machines and learned quite a lot along the way. However, most of my knowledge and experience was built with HackTheBox.
I have several courses I cannot recommend enough. In my opinion they are pretty much a prerequisite. If you have a limited budget, go for Tib3rius’s courses, they are a bit more advanced and super useful for OSCP:
Hack The Box
After completing the PWK labs, I did not feel comfortable to do my exam yet so I continued my preparation with Hack The Box machines. I posted walkthroughs without metasploit for all machines that I exploited. I rooted a bit over 30 machines and the machines that I exploited are from this list:
Please note that the list is still maintained and actively updated to contain OSCP like machines, full credits go to TJnull.
I highly highly recommend spending as much time as possible on HackTheBox, the amount you’ll learn is incredible. If you have money to spare, I very much recommend getting VIP/VIP+ to prevent the limitation of the PWK labs, e.g. shared machines. I recommend doing all the machines from the list and only look at solutions after being stuck for about 45 minutes. Some people recommend 2 hours but sometimes you don’t know what you don’t know and I believe that in some cases it is better to look at the solutions. Please refer to my walkthroughs if you get stuck for any of the machines :) Finally, if you remember only one thing from this post, let it be to watch IppSec for all machines on the list!
Please do not worry about the buffer overflow! It is the simplest stack-based buffer overflow that you can think of, it only includes a few bad characters that you can discover with mona. I highly recommend properly studying this, ensure that you can complete it within an hour.
If you’re just starting out with Buffer Overflows, I highly recommend this youtube series by The Cyber Mentor!. Also, ensure that you have like 5/6 different python scripts pre-built. You can use the scripts from this repo but ensure that you watch the videos first. In addition to this, you should carefully document every single step so that you can root this quick and effectively during the exam. To practice them, you can start with Justin Steven’s repo, it contains all the steps and a practice application. After that, you should complete at least four of the BOF practice machines from TryHackMe. By doing so, you will have all the knowledge to complete the BOF within an hour.
I scheduled my exam for 7 in the morning. I recommend scheduling it early because your brain is nice and fresh in the morning and the distractions are limited. Setting up the proctoring takes about 15 minutes and is quite a smooth process. Please note that your video, screen and audio will be monitored throughout the entire duration of your exam. However, you can take a break whenever you want.
Please take a lot of breaks! I know it’s difficult to take a break when you feel stressed and feel like you don’t have enough time to take a break but trust me, any OSCP will tell you that you need to take lots of breaks as you need to be able to think clearly; it probably saves you time in the long run! I recommend applying the pomodoro study method.
Machine #1 (10 points)
I decided to start with the 10 points machine while my scans from NmapAutomator were running on another machine.
After properly port scanning the host, I found the exploitation path and managed to root the machine within an hour. Please note that you don’t have to do any privilege escalations on this machine since you will obtain a root shell instantly.
Machine #2 (20 points)
My scans finished from the first machine and I started scanning the other machines while going over the results. By going over the results I found that several webservers where running. Carefully inspecting each webserver resulted in a working public exploit script that gave me command execution within an hour. It was a bit tricky to obtain a shell but I happened to already know how to achieve this since I did a Hack The Box machines with a similar exploit path.
After obtaining a shell, I ran an enumeration script and got kind of stuck after analysing the results and concluding that I didn’t really find any indication of a vulnerability. I decided to run some other enumeration scripts. This was a great decision since it flagged something very unusual. I pasted part of the results into google and found a great article that I had to modify slightly which enabled me to run commands as root. At this point I added a root user to the passwd file and was able to promote to a root shell.
Machine #3 (20 points)
At this point I felt super great. I already had 30 points in the bag and knew that the BOF wouldn’t be a problem - I had 55 points in my mind. Therefore I knew that If I was able to root this machine, I passed the technical requirements.
This was a windows host and like most people, I find windows harder to exploit. After spending about 2 hours on enumeration, I found some interesting things but was unable to exploit them. For example, I found a file upload vulnerability but was unable to obtain a shell this way. I got stuck and took a longer break.
I came back feeling refreshed (and slightly time presssured), after going over all my material I realised I had everything I needed and was able to get a user shell within 10 minutes.
As usual, I ran my enumeration scripts and found some interesting things. This is where the problems started. I got stack in one massive rabbit hole and followed entire windows enumeration cheatsheets. I spent hours and hours here and got super tired, at this point I was about 16 hours in so I also felt time pressured. I was so stuck that I really didn’t think I would still pass, therefore I decided to do the BOF before I had no time left.
Machine #4 BOF (25 points)
Due to my BOF preparation, I was able to obtain a root shell on this machine within an hour and the process was quite smooth.
Machine #3 (20 points) - Continuation
At this point I was 17 hours in, tired and stressed. I repeated things I had already tried and was just copy pasting stuff on the machine. This was stupid in hind sight, I should’ve taken a bit of a break but felt like I didn’t have time for it.
About 20 hours in I saw the light and realised I messed up a command I tried at the very start, I used a new command and was able to obtain the root shell within minutes. The privesc exploitation path was super easy in hindsight but being so tired, I was just unable to do it.
I went back over all machines and ensured I had proper notes for all the machine’s their exploitation paths (including screenshots) and double-checked the flags and other requirements according to the exam guide. I stopped the exam 22 hours in.
I felt very comfortable writing reports since I had about 18 months of professional work experience at this point. I wrote my report in LaTeX and managed to do it in about three to four hours. Ensure that you follow the aforementioned exam guide precisely when compressing and submitting your report.
This was the most difficult exam I have ever taken, period. It takes months to prepare and you are most likely going to feel stupid, annoyed and demotivated many times throughout your journey. The exam strengthened these feelings and combined them in an emotional 24 hour roller coaster. However,
The best feeling in the world is seeing the benefits and rewards of continuous hard work.
You are going to feel immensely accomplished and rightfully so. I recommend this journey to everyone.