Open in app

Sign in

Write

Sign in

Zero to almost hero to hero: My OSCP Journey 2022

Ji Cheng
9 min readMay 20, 2022

My journey to completing the Offensive Security Certified Professional (OSCP) examinations started back in 2021. I have just received my CompTIA Security+ Certificate and was taking a penetration testing module back in my university. Recognising that this is the career route I wanted, I turned towards the OSCP to hone in my pen-testing skills. This article summarises all the resources I used (Pros and Cons), the amount of machines I pwned in this 1 year journey and also lessons learnt throughout the process. Fair warning, the opinions expressed are solely my own and do not express the views or opinions of any organisation.

Timeline and Background

Coming into the preparation, I had basic Linux command line skills based off the modules taken in my university. I had basic security knowledge, networking and operating system knowledge as well. I have also used some of the tools present in Kali due to my involvement in several CTFs (Although I have never gotten anywhere near the leaderboards). For timeline, I started out with TryHackMe absolute beginner path, followed by pwning my first HackTheBox machine in July 2021. In December 2021, Offensive Security threw me a curveball by introducing changes to their OSCP examinations (https://www.offensive-security.com/offsec/oscp-exam-structure/). My first attempt was on 7 April 2022 and second attempt which I passed was on 11 May 2022.

Resources Utilised

Resources are listed chronologically by when I used them during my journey. At the end of the article, I would also rank the resources on their practically in preparing for the OSCP.

Tj_Null Reference list of machines: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/

  1. TryHackMe (https://tryhackme.com/)

I started off my journey by completing the “Complete Beginner” path as well as “Web Fundamentals” path. These two paths gave me a baseline knowledge of the tools that I was expected to be using a lot throughout the OSCP course. It was quite a good refresher for me as I already know how to use some of the tools.

Pros: Step-by-step guidance on the usage of tools. Machines on this platform comes with plenty of hints to help out with beginners.

Cons: Not applicable to you if already have some knowledge of the tools.

2. HackTheBox (https://www.hackthebox.com/)

Next up, I utilised the list of machines provided by Tj_Null (Link provided above) and completed the machines on HackTheBox. The learning curve was pretty steep, but there were many fantastic walkthroughs available. For video learners, look now further than Ippsec (https://www.youtube.com/ippsec) who does fantastic walkthroughs on YouTube. For those who like to read guides, 0xdf (https://0xdf.gitlab.io/) is a great author of walkthroughs for various machines.

Pros: You will learn plenty of web application hacking methodology, some unique services as well as privilege escalation technique

Cons: The machines are pretty CTF-y, meaning that some have a unique quirks that will only appear on this machine. Some of the Windows machines were also pretty old, so some methods such as PowerShell might not work as well.

3. Virtual Hacking Labs (https://www.virtualhackinglabs.com/)

After working through almost 80% of the HackTheBox list, I moved on to VHL to practice on their machines. They provide a PDF guide to pen-testing and it was very comprehensive. Although I did not read through the whole guide, I would say that the privilege escalation portion of the guide is definitely worth a read. As for the machines, they are excellent in solidifying your initial foothold methodology. You will be tasked to enumerate through many content management systems (CMS) and to find exploits for them.

Pros: Excellent resource to learn how to enumerate CMS on websites as well as some SQL injection methods.

Cons: Large proportion of privilege escalation vectors are kernel. With that being said, my compiling skills levelled up quite a bit with some machines. There are also no walkthroughs for these machines, you will have to go onto Discord and ask for help.

4. Proving Grounds (https://www.offensive-security.com/labs/)

After completing VHL, I subscribed to Offsec’s Learn One package, giving me access to Proving Ground (PG) practice labs. In my opinion, these labs were fantastic and the most useful labs in my preparation for the OSCP. My advise is to go through all the machines rated community easy, immediate and hard. You will definitely sharpen your overall methodology when completing these machines. Each machine comes with three hints as well as a walkthrough. You can redeem up to three hints and one walkthrough everyday. Through these machines, you are already slowly being taught the “Try Harder” mentality of Offsec as some of these machines are quite tough (But doable).

Pros: Machines are well structured and useful hints are provided when stuck. I learnt a lot from completing these machines.

Cons: No cons really, definitely recommend this.

5. PWK Labs

Lastly, the PWK labs themselves. The PWK labs allowed me to truly understand the way Offsec sets machines and going through it built my confidence for the examinations. (More on the Active Directory set later) Going through the 5 retired machines were definitely a plus and it helped me solidify my enumeration methodology as well as various privilege escalation methods. You will also have to learn various pivoting methods to pivot through the various subnets to reach certain machines. It is also through these labs that I was exposed to the Offsec Discord, which are filled with like-minded individuals going through the course as well. There are also wonderful student admins that will give you some hints if you are stuck. Also, do not skip out on the PWK notes as well. This notes contain valuable information which will allow you to complete the PWK labs easier.

Pros: Machines are created by Offsec, so you get a feel of what some machines might be like.

Cons: Machines are hosted on a shared network, meaning that if some students do not clean up of their exploit, you might see some artefacts lying around. Sometimes, when a student resets a machine, your machines will be reset as well.

Active Directory (AD) Preparation

In December 2021, Offsec changed their OSCP examination structure to include an Active Directory component. Till then, I did not prepare for AD and immediately went to find resources on it. After going through the preparations, the main source of your AD preparation should come from the PWK notes as well as PWK labs. Compared to other resources such as PG, HackTheBox or even CyberSecLabs, the AD sets in PWK labs consists of a few domain controllers and one domain admin machine. This is similar to the examination structure as announced by Offsec, stating that the AD component will consist of 3 machines in total and a complete exploitation of the whole AD chain is required to receive the points. Therefore, as compared to the standalone AD machines, the PWK labs will help you the most for your preparation.

I went ahead to purchase a single month subscription of CyberSecLabs to have access to their AD labs. They were good practice for some AD attacks but some require higher level of knowledge such as AMSI bypass which were out of scope for the OSCP. Therefore, use CyberSecLabs with discretion for your AD preparation.

Here are some other resources I used to sharpen my general AD knowledge:

Buffer Overflow Preparation

In the new examination syllabus, buffer overflow machines might not appear, but if you are lucky, it might be one of the machines. Exploiting the buffer overflow vulnerability will give you a low-level shell which gives you 10 points. I said lucky because this 10 points is relatively easy to achieve, as long as you follow the necessary steps. I used only two resources to prepare for buffer overflow and both of them are amazing for it.

Privilege Escalation Preparation

Besides going through the labs to sharpen your priv esc skills, I would highly recommend getting Tib3rius’s (https://twitter.com/0xtib3riu) privilege escalation course. Do follow his twitter as there are regular discount coupons on various platforms for his course. There are also two separate TryHackMe rooms (One for Linux and one for windows) to practice the skills taught.

Community

Through my preparation, besides relying on just the notes and machines mentioned above, I was also very appreciative of the whole community as a whole. Reddit r/oscp (https://www.reddit.com/r/oscp/) is one of my favourite community as there are people there who will share their warstories. This not only inspired me to work harder but also learn from their mistakes and emulate their successes. Offsec’s discord is also a great place to meet like-minded individuals who are there to conquer the OSCP as well.

Preparation Summary

Here is a summary of the total machines I pwned throughout my OSCP preparation. Fair warning, I massively over prepared for it because I was not confident of my skills.

  • Proving Grounds: 55 Machines (37 Linux + 18 Windows)
  • HackTheBox: 53 Machines (36 Linux + 17 Windows)
  • Virtual Hacking Labs: 46 Machines (37 Linux + 9 Windows)
  • PWK Labs: 45 Machines (Including AD sets)
  • CyberSecLabs: 6 AD Machines (Some required AMSI bypass which is out of scope for OSCP)

As promised, here is my ranking of resources to use for preparation:

  • Machines: PG > PWK Labs > Virtual Hacking Labs > HackTheBox
  • Active Directory: PWK Labs > PG > CyberSecLabs > HackTheBox
  • Buffer Overflow: TryHackMe + The Cyber Mentor’s YouTube

The Actual Examination

I failed my first attempt with 30 points as I was unable to compromise the AD set. After looking back and reviewing, it is a mistake on my end and I was overly stuck on a rabbit hole (More on how to avoid it later). I spent 24 hours on it and was absolutely demoralised and exhausted after the exam. I spent the next 4 weeks recovering and not thinking about it. I got more confident in my preparation as well as sharpen my methods so as to not spend too much time on each component. On the second attempt, I continue to take regular breaks like my first and also learnt from those mistakes. I manage to crack the machines within 12 hours and took the next 6 hours or so to write my report. I proceeded to write my report within the first 24 hours because I still had access to the examination labs and I could still take additional screenshots if necessary. (After the 24 hours, your VPN access will be cut and no longer be able to access the labs, so take your screenshots!)

Examination Tips

Here are some tips that will hopefully help you in your examination. Of course, I would not be revealing any information about the actual machines of the exam, but these are tips that will make life easier:

  • Schedule your examination early so as to book your preferred timing

Do not book your examinations too late as the preferred time slots (Normally during the day), would be gone. I am assuming that most people work better throughout the day and therefore would prefer those slots.

  • Read through the OSCP Exam Guide and Proctor Guide

There are many nuggets of valuable information in these two guides that will greatly reduce the stress during exam day. For proctoring, make sure that you can move your laptop or webcam around freely because they will be checking your surroundings for any digital devices (These are not permitted). For the exam guide, take note of the section which describes how to take the screenshots for proofs as this is very important to proof that you have indeed compromise the machines.

  • Take regular breaks and have your food options settled

The exam is gruelling, but you do not have make it that way. Take regular breaks to step out of the room and relax. Have meals planned out so that when you are hungry, you can immediately go and have your food.

  • Take the time to read through the exam control panel

Once your examination starts, you will be given a unique link to the control panel. This is where you will submit your proof hashes as well as get more information of the machines allocated for you. Take a good 15 minutes or so to read through each description as there are valuable information. If you are lucky enough to get the buffer overflow machine, there will also be instructions on those. Do not immediately rush into the examinations, there are plenty of time for you to do so.

  • Spend a maximum of 1 hour on each attack vector

Unless you are extremely sure that you are on the correct attack path, spend only 1 hour on each vector before moving to the next. Make a note on your notes such as “TODO: Come back to perform more enumeration” and move on to the next attack vectors that you have identified. Repeat this after 1 hour and continuously go through the “TODOs” on your notes. This method will allow you to avoid spending an excessive time on a possible rabbit hole and try out other methods first.

Conclusion + Extra Resources

Overall, the OSCP has been a tough but rewarding journey. I feel that I got a lot out of the course, learning a variety of penetration testing technique as well as non-technical aspects such as note taking. Take the OSCP journey as a reward in itself, instead of rushing through it to simply gain the certificate. To end, I will provide some links to some resources and references which were extremely useful in my journey:

Oscp
Oscp Preparation
Offensive Security
Cyber Security Awareness

--

--

Ji Cheng

Written by Ji Cheng

27 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams