OSCP Insights: Busting Myths & Helpful Tips

At the close of last year, I received a much-anticipated e-mail informing me that I’d passed my OSCP exam! Now with the adrenaline settled a couple of weeks on from the news, I want to reflect on the process — with the aim of helping prospective students on their own InfoSec journeys!

What is the OSCP? (Skip this if you already know!)

The OSCP (Offensive Security Certified Professional) is an entry-level penetration testing certification that is well-respected in the cyber security industry. The OSCP exam can only be taken after you have enrolled and completed the Penetration Testing Training with Kali Linux (PWK) course. The course includes video content as well as a handbook to teach you the fundamentals. While Offensive Security won’t hold your hand throughout, there is enough support via the exclusive forums, support chat and the all-knowing Google for anyone determined enough to get through it. The PWK course features a simulated ‘real-world’ network where the goal is to gain access to the target machines on it, while the OSCP exam requires participants to remotely exploit and access a certain number of targets within a 24 hour period. Finally, a report must be submitted in the following 24 hours which documents the findings and processes carried out during the exam. This combo of testing students’ pen testing skills as well as their ability to manage time and produce valuable reports is definitely a good reason why the certification is still so highly regarded today.

Let’s Bust Myths

There’s already a ton of content online from current and former OSCP students. This has led to some opinions being entrenched as fact — and I want to give my two cents on things I’ve heard which could wrongly deter people from trying harder and earning their OSCP!

1. ‘You NEED relevant experience prior to taking the PWK course’.

This is something which is advised by Offensive Security themselves:

Now, I should make clear that having pre-requisite knowledge is definitely going to help you progress more quickly through the course than somebody with no prior experience in Linux, networking or scripting. HOWEVER, don’t think that you need to currently be working as a system administrator, have your CISSP and write scripts on the daily to pass the OSCP. You’ll soon find out that this field requires you to be a strong self-learner with Google being your greatest tool. As long as you have the determination to learn, I believe that you can become an OSCP with no prior experience in the above areas. Sure, it might take you a little longer than others — and it might mean that you are not using your PWK lab time as efficiently as you should be — but just know that you don’t need years of IT experience to earn this qualification!

2. ‘You don’t get tips in the exam, so don’t use them when you’re working through the labs’.

This one is extremely frustrating. I understand the sentiment: you don’t want to become reliant on guidance from others; sometimes it won’t be there and you must learn to find the answer on your own. That said, there are so many facets, tools and concepts at play in this field that newcomers can benefit greatly from a pointer every now and then. Let me use a trivial example to emphasise this point:

Bob is one week into his PWK course and is poking around the network. He comes across some text on a web page which looks like gibberish to him:

LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdTcrMStaWDBnZnNmdHFUWnZiSks3RHpWUmY5U1NGZTVQREhTUnBXTHgyc09JY0crCk5uUGxDekhFM25OMDI4UjM2YzBPU3BwUHI0dTRrWUEyUFE1WXFwbzlRdUZBaG1UaDlvZ0xGaUdOcVlFOFFpalIKd1o2YUhxOXpBSUZLSkNmcXYxb29xQnI3c1Z3RjN6cm04UzcvNGdldS92T0MxTWpjUWdRRVc3Y2FmNkFZeGJscQpaVHdEUHVCRUZ0T2JseW1qWFRNa0J0bkZvazViNGlxbDZPOFN6Zkd2QkNtbnVGekErbVV3RmhPaUlEUkF0WitYCklobklkRzY1cXhLQ1FyejFPSFlVZnFScmlOOUdxZUJSM25zc2RSbTU5WERLMHdVVFZUekVwR0FkSDVtc2tld0QKemp2Ty96SDBIbHluNkY4emQ2RlovVEV6dlN5T2tYci9NK3h1T1FJREFRQUJBb0lCQUFPaXFhNWtoZkNDWVZIVApEVmhML0lGb2lDU3IxZmNLbzg2VGxHUERmNHBqKzBrU0RGSFhtcWJGMXU4THcwYUNIbVJMa1N4R29xWmVpVHRnCkJTelhlMFlLYUlkRC8xRGE0VGs1MXlVZGp6V3FCL1dyL3F2R0cydmVyOVpocW9MYXR3UHZoZndEVWI1VWJ0U3MKdWs0UFArc3JoT3J3NGlhbW9RVXlPTGRoNjBSdlY2Q1BGTmo1VkRSSU9lazY4bnc1ME80NHpxMk9HZzR4dExJMwpxckdMbUFwWUduOXNVcisvUlh5RUJzTGlqRVBqQXh1RE5EMHk4eFZxdktYVjFGOGd4TnNQMDBtVitudEx1V2JDClVDKzllYlQrdTN5R3I1OXVWY3AvZGt5ZUxlZDNMdU9uZlU0ejJYa0tpdWR2eU5kWk4vMURrQUZ6MmNXbkRXZVAKTWJhOEg5RUNnWUVBOVBYaDcySHRnSUM2NHE0RFpjVm9jdjhGenJHa0xMbTRBSFpUV0pOZ24wTG05QWlkQ3pkMApwNE9HMmRBVVdsTDdlZEFPcUpOY1RlK3JoSE4vZ1pmZUxVVGV0OG5neDBFS09Jak10WjZhZFljdjNWK3ZndlpzCkZibG5heWY5VmNtNU9WZWVzVHVDV3dGWjl1RVh4aXhtdHB1VUR3a1FwWWxHT3hxZHlYbHE2NlVDZ1lFQXhEWEcKcDVXNnprVUUzTWRBMWNKY3Nhdmx2UE5wdVNCUVlLNktxVWd2SFdwVkFCSXQ5cW9PWWJwWWlCNll4UDJVK0dyWgpaNFEyUXBCLzBOY01telE0OVpQVkJhMExjZjVjRTNxQWpyajhkcTdpVE9ZQ25NU1pqUk0xYW1wVnd5dXlZaHo1CmFOTnpIUkVCV3d5MnppT21VR0Y4LzdRMDRxQ3JhSVhmazFqbVJBVUNnWUVBcEJDRE1JZVFRTDczYkpkTDR6L2kKZ3hMWFd1YVRwUGtHaWhpMkhkOG5tY04vVi9iazUveE9mMXVTV0JRTGJhdWlqcVdSQzhzV3lZUTZoazJ0R3FrUwp2NU1lOEUyZjVSUmt1aFMxdHZieFVNSW9oc1p0a1BObTFPNEduRGgrYnBUYkg5TFZrTExnemY4THVGUnVUZWF6CkxKN3EvVjcrN1VBUjc4Z1Y0amtXS1prQ2dZRUFwT05ZVFk5YnpHcGVHcmRyK2ZkN2RHZzBDZVU1TExWR051bVgKWjRsYzVzaHNKRUlpMUU2M0JWUFhnSlRONTRYL1FnQnhNVGYvYlZNSHh0WmlKcS90U2h0eEFuTVkwalJpNW8rbApKOHUzaG5tVGZmSXhzZExhQTU5bjNVVDlTNllXSTdPYnVZY3hEdlV5Z1hTZXozOVFEZTdQWUFmdUJhSG1TbEZ1CndPSU5xSTBDZ1lFQTFLWWo1R09GSStLNEh5VzNjbDNvUjhSU0ZkcnFDSmlraERzMkEzRThmWG5Jdld1alNHRDEKWEV0bTBUU0FtaEJmUk5XM1FvV2I3YU1WdEZxdFlzSkRoT25GS1dGTU5BaGRPSm83NUZpYWp2cUV3VUk2VmZFawppSWkxeHBxVnlrUkxDaXBwU2tFZTZ3VnEwSHg3ZDgvU1pVRUludXdMWTZaVmoxTktkNC8zR084PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

He doesn’t know how to proceed, and goes down a rabbit hole for hours trying to find out what this text means, and how it is relevant to exploiting the system. (Bob doesn’t know what Base64 encoding is, nor does he understand the process of SSH key-based authentication — wink wink). If Bob visited the Offensive Security Forums, he could ask for help and be directed on the right path. This would help him to learn as efficiently as possible: Bob now understands what encoding is, can instantly recognise Base64 and knows how to decode it via his Linux terminal, and also realises the relevance of public and private SSH keys in the login process!

The point is, there are going to be lots of unknown unknowns if you’re new to the world of cyber security. Getting a pointer every now and then will help you from wasting time in the labs. If you want to ensure that this doesn’t compromise your ability to learn independently, set yourself a rule where you only look for tips when you are truly ‘stuck’.

3. ‘You’re not going to pass the OSCP exam if you didn’t pwn at least 30 boxes in the labs’.

There’s no doubt some correlation between the amount of machines exploited in the labs and likelihood of passing the OSCP exam. A student who pwned 1 box in the labs is going to be less likely to succeed than one who exploited 50+.

That said, your performance in the labs does not dictate your exam success rate. You shouldn’t feel entitled to a pass because you hacked every machine, nor should you feel destined to fail because you only got access to less than half the machines on the PWK network.

The exam is its own beast, and tests many attributes which don’t really come into play during the labs. Some of these include:

  • Time management.
  • Ability to perform under stress.
  • Proficiency at multi-tasking.
  • Quality of performance while sleep-deprived.

We’ll get more into how to maximise your chances of passing the OSCP exam in the following section.


Tips for Exam Success

1. Enumera…SHUT UP

Being told to enumerate is probably the most common tip out there — particularly in the PWK forums. If you’re stuck on a machine, this can seem to be frustrating advice, as you might feel as though you have already enumerated as much as you can to no avail — hence why you’re stuck.

However, I want to usher in the term of effective enumeration. If enumeration is running a bunch of scans and tools on the different services running, then effective enumeration is the process of actually analysing the results which they output. Often, the devil is in the details — and overlooking them could be the difference between finding your initial foothold and missing it. Of course, this isn’t to say you should start reading every single character of the MIB tree when enumerating SNMP, for example. Part of the art of effective enumeration involves knowing where to look for relevant information. This will come with experience over time.

Having an enumeration cheat sheet handy during the exam will pay dividends. I created one in CherryTree which is divided by service (FTP, SSH, DNS etc) and features common commands which is helpful in the enumeration phase. Shoot me a message/comment on here if you’d like it. (If there’s enough interest, I’ll write it in Markdown on Github).

2. Maximise your Efficiency

Given the time-sensitive nature of the exam (you have 24 hours to exploit numerous systems), it helps to take as many preparatory steps as you can to optimise your workflow. Below are some of the things which helped me out:

  • Organise folders beforehand. Create an exam folder with all relevant material which could be of use during the exam. This can include reference material (cheat sheets etc), pre-compiled exploits, enumeration scripts, buffer overflow tools (file containing bad characters, pattern_create.rb and pattern_offset.rb), frequently used wordlists and so on.
  • Create scripts. These don’t need to be complicated — just simple scripts to increase your efficiency and keep a clean workflow. For example, you can write a simple Bash script to do your initial port scans for all the relevant targets which might look something like this:
#!/bin/bash
#usage ./nmap.sh IP1 IP2 IP3 etc
for ip in $@;
do nmap -sC -sV -p- -oA $ip.nmap $ip &
do unicornscan -p 1-65535 -m U -l $ip.udp $ip -v &
done
  • Make a template for your notes. Having a pre-made CherryTree template will help to keep your enumeration notes organised, which will in turn make the subsequent report writing much less stressful.
  • Set hotkeys and macros where you can! Again, these might seem like small things, but they can really help you out when you’re fighting tiredness and stress. Something as simple as a macro for your IP address on the VPN saves you entering it over and over again, and can keep you from making silly typos! One shortcut I particularly recommend is for screenshotting in Kali Linux — SHIFT+Print Screen. This will save a specified screenshot in your default Pictures directory. With all the screenshot requirements for the OSCP, I bound this to a button on my mouse for quick usage!
  • Multiple Monitors. Having that additional screen real estate can really help with all the multi-tasking going on during the exam. You’re likely going to have terminal windows open (use Terminator if you aren’t already btw), a cheat sheet, a note-taking document and multiple browser tabs up at a minimum at any one time. A cluttered desktop workspace == a cluttered mind which is definitely not a recipe for success under such intense exam conditions.

3. Rabbit Holes and How To Avoid Them

Going down a rabbit hole or two is inevitable in the world of pen testing. An exploit doesn’t work until it works, so a fair amount of trial and error is to be expected. That said, you need to learn to recognise when you’re in a rabbit hole and understand the importance of getting out. To paraphrase the great Albert Einstein, if you keep entering the same commands over and over and expect different results, you’re probably in a rabbit hole.

While it’s not possible to completely avoid them, having a general plan of attack which prioritises different services and attack vectors — and is backed up by thorough enumeration — is a good way to minimise the chances of going down a rabbit hole. Remember that the OSCP is an entry-level certification, so you’re not going to have to find some overly-complex blind SQLi or write a new exploit from scratch. If you find yourself going down that path, step back, have a break and re-read your enumeration output.


Closing Thoughts

The OSCP is undoubtedly worth both the monetary cost and time investment. Compared to other certifications out there, it is one of the more reasonably priced ones, comes with good learning resources, great support and an active and responsive community. Another perk is that the exam is taken remotely, and re-takes are fairly cheap ($60 USD).

One criticism which has been — and continues — to be levied against the PWK labs/OSCP exam is that the content is out of date. While this in part is true (don’t be surprised to find Windows 2k3 machines during your journey), this argument overlooks the other valuable skills gained from the course. The OSCP will teach you a sound methodology that is timeless: from initial enumeration, to exploit research, to execution and finally the need to document your findings thoroughly in a well-written report. Throw in the resilient, ‘try harder’ ethos that you’ll need to succeed, and the OSCP does a great job of preparing you for a career in penetration testing.