In the last few weeks there has been no new post as I have been preparing for OSCP. This is another of the many articles about how to pass this exam and obtain the most prestigious Offensive Security certification. However, I have taken the certification in the new version of 2020, so perhaps I can provide some more information. And it’s always useful to read this kind of post in the days leading up to the exam (and I say this from experience) – let’s get to it!
To begin with, let’s start by describing OSCP certification. This certification is obtained by taking the PWK (Penetration Testing with Kali Linux) course. It is designed for those who wish to direct their career towards pentesting. You can see the syllabus on its website, but it basically includes everything you need to be able to perform a real pentesting, from start to finish. Although it is advertised as an introductory course, in the world of haking it is known for its difficulty, as it is a purely practical course in which you need to have a lot of knowledge about pentesting techniques and tools.
My Background
If you don’t know me, I’ll tell you what my previous knowledge was before I started the certification. You can find out more about me by following this link, but as a summary I will tell you that I studied the degree in Computer Engineering at the UAM (Madrid) and the master’s degree in ICT Security at the UOC (Barcelona).
When I was in the last year of the degree I started working at GMV, and there I spent two years in the cyber-security department as a Junior Pentester. There I obtained the CompTIA Security + certification.
Then I emigrated to Ireland and here I have been working as an Information Security Analyst for Global Payments for a little over a year.
PWK 2020 Course
This course was known to have very poor and old material, which did not correspond to the difficulty of the exam. However, it was renewed in 2020, completely updating the syllabus and adding new sections such as Active Directory and powershell.
In my opinion it is quite useful material, I learned quite a lot of new things and added a good number of techniques to my repertoire. However, reading and learning everything on the course is not enough to pass the exam, not by a long shot. Because that’s the essence of this certification: the only way you’ll pass is if you make a living and pull your own weight.
The interesting thing about the course is the laboratories.
Laboratories
Offensive Security offers three different laboratory access options, each more expensive than the previous one: 1 month, 2 months or 3 months access.
I chose the 3 month access. However, I used the first month to read the pdf and watch the videos. I spent quite a lot of time on this because I insisted on doing all the exercises, disregarding the advice that other people had given me. I think this was a mistake. While it is true that doing the exercises and making a report of 10 of the machines in the lab gives you a 5 point advantage, the time I lost in the labs was not worth it. You need 70 points to pass the exam, and it’s only fair that you have to go in order to need those 5 points advantage.
My advice is that if you consider that you already have the knowledge provided by the course material, use your access time to go straight to the labs, which is where you will really learn and get experience (I have also heard that it is possible to get the pdf of the course from some websites, and some people would study the content before paying for access, but this is something you clearly should not do as it is illegal).
The next two months I used them in the labs. Here I made the second mistake. This is probably the best advice I can give you: if you want to pass the exam, don’t look at forums or look for clues. I’m telling you from my own experience, it’s very hard to resist temptation when you’ve been stuck for half an hour without being able to move forward and you know you’re just a couple of clicks away from getting a clue on how to do it. In the exam there won’t be anyone you can ask for a hint.
This was an attitude that I had throughout the lab, I looked at the clues right away and so I knew where to go, as I thought it was the best method because that way the next time that vulnerability or that way of climbing privileges appeared, I would know how to do it without looking at clues. This is not true, at the moment of truth if you have not learned to look for yourself and analyze what is in front of you, you will not know how to advance and you will fail the exam.
In those two months I made about 90% of the machines in the laboratories, but as my methodology was incorrect, the laboratories on the course were not useful for preparing me for the exam.
Hack The Box
What helped me the most was undoubtedly HackTheBox. I had been using this platform for quite some time, in fact I have some posts that can be useful if you don’t know it. There are many people who recommend making certain machines already removed from HackTheBox, for example those listed in the J_Null’s list. These machines are similar to the ones you can find in the exam.
I, however, do not recommend this. All those machines are already retired, so the temptation to look at the walkthroughs when you get stuck will be very great.
Instead, what I did and what I recommend you to do is to use all the easy and medium level active machines. It doesn’t matter if they are more realistic or more CTF oriented. The important thing is that you make them by yourself, without asking for help or looking at the forum. If you are able to get shells with administrator privileges on all mid-level machines without asking for help, then you are ready to take the exam.
Other sources
TryHackMe
A couple of weeks before the exam, I discovered the TryHackMe platform. I decided to sign up to try it out, as I saw that there was a ‘learning path’ specially designed to prepare for OSCP. This route is the ‘Offensive Pentesting Path’. Although I found it very simple, I think it is a very good way to start preparing for the exam, so I recommend doing it before buying the PWK course. It explains all the basics through different machines in their lab, so it’s a much more guided learning experience than the one HackTheBox offers. It also includes a section on Buffer Overflow.
This route has free machines and others that require a VIP subscription. I paid directly for a month’s subscription as it is only 8 dollars. I completed the route in 5 days, although it is intended to be done in a couple of weeks, if you do not have previous knowledge.
Proving Grounds
Offensive Security has recently brought out a new platform, Proving Grounds, to practice for OSCP. This platform has two sections: Play and Practice. Play is free and contains vulnhub machines. The interesting part is Practice, which requires a paid subscription ($19) but contains retired machines that were used in real OSCP exams. I discovered it when I only had a few hours left for the exam so I decided not to try it, but I have friends who have taken it and their experience is very good. If I had to prepare the certification again, I would pay for this option without any doubt.
HackingLethani
Finally, I recommend you this blog, specifically the posts I’m uploading lately about infrastructure hacking, in which I show different vulnerabilities I’ve been finding in each of the most known protocols and services. I think it can be very useful to learn different examples of ways to exploit vulnerabilities. You can find all those posts here.
The Method
Lastly, I want to share with you “The Method”. This is how I call the methodology that I have been developing during these months when hacking a machine from the IP address. Using this technique I was able to successfully hack all the machines of the OSCP exam.
The machines that you will encounter during the exam are not difficult, but they can be overloaded in some cases since they usually have quite a few open ports and protocols which will not always be exploitable.
The main mistake that is often made when taking the exam is not having a good organization. Without following a clear structure, it is easy to get lost and fall into the so-called “rabbitholes”.
This is why “The Method” starts by analysing each port and protocol opened on the target machine. For this I have tried some tools that automate this initial phase, like reconnoitre, but in my opinion the most useful tool is AutoRecon.
Once all the scripts have been executed, we must analyse each result that nmap has returned to us. Write down each open port/protocol and the interesting information you have obtained from nmap. Many people use cherrytree to write down everything. I prefer to use google spreadsheets, so I can have all the information structured and online. But that’s a matter of personal preferences.
The important thing is not to focus on a protocol. Look for all the information you can get from each protocol, the versions, if it has web check nikto and gobuster/dirb/dirbuster, check each CMS or protocol name you find in searchsploit, but just write down the possible exploitation vectors in your notes.
Once you have finished analysing all the information that the automatic tools have returned to you, then you can start exploiting whatever you find easiest. For example, if there is a machine with ftp, smb and http, I would start by trying anonymous access in ftp, then check the shared folders in smb and finally check the different URLs you have obtained from gobuster and try to exploit the vulnerabilities you have found in the web service you are running.
This way, you will be aware of all possible vulnerabilities before you start exploiting them. This methodology gives you a great advantage for two reasons: firstly, you avoid falling into rabbitholes, since before exploiting anything you analyse all the information and go first for the easiest vulnerabilities to exploit, and secondly, it allows you to be aware of all the possible vulnerabilities in the machine, and this is very useful for linking attacks, since in most cases you will have to combine the vulnerabilities of two different services in order to obtain an administrator shell.
This is the methodology that I followed to prepare the certification and it worked for me. A few days ago I received the notification from Offensive Security that I had successfully passed. I hope this information can be useful to you too.
After this exam, I think I will take a short break and start preparing for the OSWE.
Lethani.
Excelente Review de la certificación. Enhorabuena por haberlo logrado.
Muchas gracias Dario!
[…] is not a complicated exam on a practical level as the OSCP, but it is important to understand in depth all the topics and know how to apply them to real life, […]