Open in app

Sign in

Write

Sign in

How I passed OSCP first time

0xs4m
9 min readDec 28, 2023

--

I’ll try to keep this short and sweet — it’s also my first post on Medium, hoping to document more cyber related things in the future..

I managed to pass OSCP earlier this year with 100 points, I was extremely happy with the result as this certification was on my mind for quite some time. Hearing all the stories of everyone battling to pass the exam within 24 hours filled me with some sense of nervous anticipation/dread, but at the same time it sounded like an exciting challenge to me.

Background

I’ve been working professionally in Cyber Security for the past 4–5 years, but I’ve had a passion for it for almost double that time, I’ve been involved with computers for 10+ years. It mainly kicked off when I started watching ‘Mr Robot’ (Typical, I know..) — I then went down the slippery slope of HackTheBox, then inevitably watching IPPSec videos to soothe my mind once I lost hope on breaking into a retired box.

I’ve broken into the industry with a defensive cyber security role, through that time I’ve developed my sysadmin, PowerShell, Python, networking, Active Directory, Azure & overall ‘real-world’ corporate cyber skills. More recently I’ve been taking a greater interest in applying my “hacking” skills in a professional environment — OSCP still appears to be the de facto entry level penetration testing certification that the majority of offensive roles require to get past HR filters, which is why I wanted to get it under my belt.

I think it’s common knowledge that due to recognition that OSCP holds, OffSec sort of hold a monopoly at the moment & charge considerably more than other competitors that rival the contents that the PEN-200 course teaches — but I’ll speak about that later..

When do I know that I’m ready to take the exam?

I’ve seen this question & variations of it asked so much online, to put it bluntly — you’ll never know until you actually sit down and take it. It is obviously more nuanced than this though, there are certain benchmarks & measures of progress you could/should set to determine how prepared you currently are for taking OSCP exam. I set a couple of loose requirements that I felt I needed to hit before I was comfortable to schedule it, which were split it into 3 main parts:

  • TJ Nulls Machine list — PG/HTB
  • HTB — Dante ProLab
  • PEN-200 | Set A,B,C & Challenges

TJ Nulls Machine list — PG/HTB

This part I wasn’t very strict with, essentially — I would look at all boxes from TJ Null list, make notes for each machine all collated within a OneNote file, get as far as I could on my own & “Try Harder” when I was getting stuck, if I got too far into rabbit holes or making little progress — I’d look up a walkthrough & only look at the portion I was stuck at. Once finished with the list, I just looked at completing both retired & active easy/medium boxes with the same approach. Then rinse and repeat until I had around 50–60 machines fully rooted with a fully detailed path to compromise each box.

This provides a really good baseline of knowledge of different exploitation techniques & you’ll find that the more boxes you complete, the easier the new ones become - as if you get stuck, simply ctrl + f against all notes in your OneNote notebook & you’ll likely find something similar to the problem you’re currently facing. If faced with something brand new, my go to would be HackTricks & search for the service/technology you’re looking at.

Personally, this was the most important part in my journey — as simple as it sounds, learning how to google/research in the right way helps tremendously & is half the battle. ippsec.rocks is an amazing resource, it indexes IPPSec’s YouTube videos with tags — search for the current type of attack/vulnerability/scenario you’re facing & it’ll return videos that are relevant to your query.

It might be overkill & I didn’t do it, but, consider creating mini reports for each machine you compromise, how did you get user privileges on the target, how did you escalate your privileges, what remediations would you recommend putting in place to prevent this from happening again? Provide links to documentation, map it to MITRE attack framework & work on sounding professional. It’s all well and good pwning a machine, but in a corporate setting there needs to be qualitative & quantitive data, learn about conveying information to different target audiences, e.g. C-Suite to system administrators. You could then potentially repurpose these snippets in the final report once you’ve completed the exam.

HTB — Dante ProLab

I think this part is optional if you’ve got the extra time/money to invest into a ProLabs subscription on HTB. It taught me a lot about pivoting, which is something that you really need to know in order to perform lateral movement when on an engagement. I focused my efforts on understanding the Chisel tool, combined with proxychains to proxy connections via compromised hosts to reach hosts that are unaccessible from an initial access point. Once I had reached around 75% completion of Dante, I felt much more comfortable executing attacks via pivoting, understanding double or even triple pivots solidified my confidence in this area.

Really useful article on pivoting using chisel:

At the end of the day, it’s up to you what tool you see best fit to use for pivoting, another good option is ligolo-ng.

SSH Port forwarding is an important concept to understand as well, this diagram is etched into my brain whenever I’m in a scenario that would require it:

PEN-200 | Set A,B,C & Challenges

This section of my study I really wanted to set strict rules for — at the end of the day, this is as close as it gets to the real thing & this is half of what you paid the big bucks for when you forked out paying for PEN-200..

I gave myself a period of 2 weeks to complete set A, B & C all under exam style conditions. If I could get a pass mark for at least 2 out of the 3 sets, I’d book the exam next week.

So I started on set A, set a timer for 24 hours & got to work, no asking questions from others, no distractions — full focus. If I exhausted all options on a box, I’d move onto the next — it wasn’t an issue if I didn’t fully compromise all hosts, I just aimed for that sweet 70%.

I did this for set B & C too & passed all sets - there were 1 or 2 machines I wasn’t sure on overall & I then asked around for hints and nudges in the right direction, then made more detailed notes on the areas I was weak in. Once all the sets were complete, I booked the exam & while waiting for the date, completed the challenges “MedTech, Relia & Skylark” — I don’t think I finished all the machines here but it was good extra practice for the exam.

Judgement Day

I started my exam at around 1PM, had no issues with VPN or proctor software thankfully. As I was really confident about my AD knowledge, I started on this set first & just couldn’t find out how to get a foothold; I persevered but gained no progress over the course of 2 hours, I felt uneasy..

So I went away for a break and walked my dog & thought to myself that I’d focus on the standalone’s instead and I might get some inspiration for the foothold on AD set in the meantime.

I came back to my desk & over the next 2 hours I managed to get root on one & user on another standalone machine, pleased with my progress, I took another break and had dinner. After I came back, I revisited the AD set, it took me another hour before I realised that I overlooked something previously, revisited this item & I got user.. I kept hammering away at the AD set until around midnight & had fully completed the set. Now sitting at 70% — I was ecstatic & it gave me some more motivation to get the other machines, I stayed up for another hour or 2 and had got to 90%. Feeling tired, I set my alarm & went to sleep.

The next morning I revisited the remaining privilege escalation flag & just realised that I was sleep deprived the night before & then proceeded to get root. 100/100 — However, time was closing in on me, I looked at my notes & they weren’t very pretty; I spent the last hour and a half frantically resetting boxes, grabbing screenshots, proofs and a comprehensive list of commands that were used.

I would highly recommend that you don’t get carried away once you get a shell and start looking for privesc, note down absolutely everything when you have success with something. It just saves you unneeded stress when writing out the report & serves as a good reminder that you should have a full audit log of everything that happens when conducting a penetration test.

Thoughts on PEN-200 Course

I’m not a massive fan of the course content & how it’s taught, to be honest — after skimming through the PDFs I realised that I had previously learnt a lot of the material through my own journey on HTB/TryHackMe/Proving Grounds.. So I didn’t use any of the course contents, the only preparation I took from PEN-200 was the A,B,C & Challenge sets they provided — I had some issues with reverting these boxes but the support team did help out to fix the problems I was facing.

There are definitely some good competitors to OffSec’s ‘OSCP’ certification, including (but not limited to):

These come in at a fraction of the price & I feel that the way both of the underlying courses are taught works better for me. There are differences between all 3 of them, however, I think that as these alternative certifications raise in popularity, their recognition will too.

This is especially apparent for HackTheBox’s ‘CPTS’ — if you’ve got a student email address, you can get the HTB Academy Penetration Tester path for less than £12 a month.. I believe CPTS is the main competitor, I don’t think that PNPT will hold the same weight as either course in terms of technical depth, but it teaches great methodology, a “Hackers Mindset” & allows you to practice real-world one-to-one debriefs with a simulated customer; whilst the others only rely on written skills.

Tips

  • Often overlooked but, TAKE BREAKS & GO OUTSIDE — Your mind will thank you & it allows you to think clearer & remove tunnel visioned thoughts, this was a key driver of my success in the exam.
  • Don’t overthink it, you’re not expected to develop your own L33T zero day to compromise a target, everything you’ve taught yourself up until this point could be tested within the exam.
  • Don’t be afraid of using metasploit against one of the targets, but exhaust google first — the exploit / technique / PoC you’re looking for might exist elsewhere on the internet. Keeping metasploit for a machine you’re really stuck on as a “get out of jail free card” might be an approach to consider.
  • Make Active Directory your priority, if you’re getting into this field & you’re doing internal assessments, the company is more than likely going to be using AD. The AD set in OSCP accounts for 40% of overall mark, meaning that even if you get root on all other standalone machines & you don’t fully compromise the AD environment — you will fail. (Or you could fall back on the 10 bonus points) →

Requires completion of at least 10 PWK lab machines along with a detailed report, including all of the PWK course exercise solutions for a total value of 10 Bonus Points.

NEW: The 10 PWK lab machines reported on must include Active Directory targets.

Aspirations

  • CPTS
  • CBBH
  • CRTO
  • I aim to get OSCE3 by 2025 (Mainly for the cool coin)

I hope this post has helped/inspired anyone looking at taking the OSCP.

Good Luck!

// Thanks for reading :)

Cybersecurity
Oscp
Pentesting
Red Team
Offensive Security

--

--

0xs4m

Written by 0xs4m

23 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams