Here are the informations collected from reading about OSCP reviews and my thinking about preparation.
In my case (and yours too) organization is the key.
The reason ? As a lots of others IT Security aspiring guy I am a father(2), husband, new house owner and an involved employee. So the 90 days labs will be an absolute necessity. And they must be exploited in the best possible way to avoid retaking the exam too many times.
Expect some updates of this page (and website too).
To do BEFORE purchasing OSCP
- 90days => 1150$
- exam retake => 60$
- 2 weeks lab extension => 150$ (with free exam take included)
- No more social life during the training
- Not a certification that can be obtained with week-end only work.
- As my current position is highly time-consumming, I cannot consider working on it during business hours.
- Prepare family/friend about the dedication needed to pass this exam.
- Be sure to be able to dedicate at leat 4 hours a day for 5 months (2 of preparation + 3 on labs).
- Spend the first 2-3 weeks working on the exercises and coursework.
- Synchronise & dedicate my personal cloud (NextCloud) for all learned stuff, documentation & standalone tools. In case of VM crash, restoration will be way much easier.
- CherryTree: for notes taking. Tree's idea Enumeration, Exploitation, Privilege Escalation, Flags, Flyover (contain full network enumeration scans, DNS enumeration, log of which boxes already owned, and which ones missing)
Read these useful links
- OffSec Support
- OffSec IRC Guide
- OffSec Report Example
- Pentesterlab if I have some more time … But I don’t think so !
- IppSec videos <= Mandatory
- BlackHat nmap scanning the Internet - 45min
- Enumeration CheatSheet
- Some targets are exploitable in more than 1 way
- Many of the exploits will not work without modification. Sometimes, manual way works better than the public ones. Use google (not only top level answers)
- It is not required to solve all the 55 machines. But target at least 25 vm + 2 of the 4 difficults one is highly recommended.
My HackTheBox profile: Best ranking was 287 before OSCP training.
Here is a list of machines I hacked on HTB, all have been done before beeing retired + attached write-up when done.
- DevOops: XML External Entities (XXE) + Python pickle + git
- Aragog: XML External Entities (XXE) + processes stalking
- Bashed: basic fuzzing + Bash interactive + Python reverse shell
- Celestial: exploit NodeJS object deserialization
- Jeeves: Jenkins Groovy scripting + KeePass cracking + SMB PassTheHash + hidden data stream
- Nibbles: Proper Enumeration + File Upload
- Silo: oracle (enum SID/SCHEMAS, file upload) + Extract Memory Dump infos + PassTheHash
- Stratosphere: Apache Struts + Python library Hijacking
- Sunday: Finger Enum + SSH bruteforce with hydra + wget post
- Valentine: Heartbleed + tmux
And here a list I cannot yet publish (HTB rules), because you cannot publish write-up if the machine is still active.
VulnHub: It is highly recommended to own theses VM and fully understand every single step to root them :
- Kioptrix Level 1
- Kioptrix Level 1.1
- Kioptrix Level 1.2
- pWnOS v2.0
- SickOs 1
- SickOS 1.2
- FristiLeaks 1.3
- LordOfTheRoot 1.0.1
After purchasing OSCP courses
OffSec Virtual Machine
Running apt upgrade will break stuffs on the VM provided by OffSec. One exception is searchsploit -u
- The provided Offsec VM runs on VMware
- Rotate through machines every 3-4 hours.
- Spend at least 2-3 days working 14-16 hours straight on the PWK labs (take vacation days, no week-end).
- Simulate the exam by attacking 3-5 machines during this period
- Spend the next week (or 2) rooting the low hanging fruit; and then, move on to harder machines and other networks.
- 55 machines to hack. 4 networks (Public, IT, Development, Admin). Direct access only to the public network. Need to unlock other networks by the secret keys obtained by proper post exploitation.
- About 350pages of simple example & hacking concept. On each one of them I(you) need to document yourself & try them. Consider this technical document as a summary of the OSCP learning.
- Always upgrade shell once connected on a system.
- Complete ALL courseworks/exercises before working on the lab machines. If not, I (you) risk to be blocked at some point, and will fall into a rabbit hole.
- UNDERSTAND each exercise.
- Utilize the PWK Forums only when stuck on the same machine for 8+ hours.
- Document everything.
- Connection to other networks by port forwarding and proxy chaining.
- 4 main difficult machines are: pain, sufferance, humble and gh0st.
- Do not hesitate to try stupid things.
- I(you) will experience lots and lots of pain, frustration, lost of patience. But NEVER GIVE UP!
- Root as many machines as possible without using Metasploit, Meterpreter, and sqlmap.
- Take 2 days off previous to the exam. Go have some fun, because exam will be not
- 70/100 score is required to pass the exam
- exam is 23h45 to pentest 5boxes + another 23h45 to write & submit report
- 5 bonus points if submitting a pdf lab report (10machines minimum)
- 5 bonus points if submitting report for all labs exercises
- 2x25pts + 2x20pts + 10pts
- 1 of the 25pts box is the b0f one
- Can only use Metasploit once (restricted to auxiliary, exploit & post modules) + cannot change the target
- Read every word in this document several times: OSCP Exam Guide
- Take regular breaks
- Good idea seems to start the exam at 3PM, works 10hours, sleep 4h, works 10hours
- Start with the exploit writing (Buffer Overflow) machine. If proper practiced it can be finished within maximum 2 hours.
- Next, focus on the machine which has minimum marks. It will requires some proper enumeration
- Then attack the remaining 3 machines. Enumerate, enumerate, and enumerate. Never leave anything. Try all stupid things. Do not panic.
- Submit the flags (local.txt & proof.txt) in the exam panel immediately once you retrieve them
- OffSec Report Example
- When documenting machines (labs and exam), include every steps. No need to include things that didn’t work. Include a single screenshot which displays proof.txt file, ifconfig/ipconfig, whoami, id, or similar.