It feels like everybody who passes the OSCP has written a blog post about it. And, for a long time I thought I wouldn’t write one, because there is already a long list of excellent resources talking about passing the OSCP out there. I will provide a list of them down at the bottom of this post.
But whenever I stumbled across an OSCP guide, I feel like there are some things missing. After I passed my OSCP exam at the end of 2022, some of my coworkers have asked me for advice. Most of the time I pointed them to already available guides on the internet or shared my notes with them, but I always added some personal recommendations about Methodology and Mindset that I rarely see being talked about in other OSCP guides. So this blog post is going to summarize these tips.
Before talking about how to approach the OSCP, I want to talk about some general stuff. I know it is written everywhere, but when I started out with the OSCP, I underestimated this part a little:
”Taking this certification will require an EXTENSIVE amount of work and time!”. Coupled with the considerable amount of money it costs and the limited time you have to complete it, you really should consider, f your bank account, your mental state, and your friends and family can endure taking the OSCP. It might be the case that for your current situation, there are other learning resources and certifications that are better suited for you.
Nevertheless, I have to mention the benefits of taking this course and exam:
After purchasing the course, you will have access to labs, video and written course content and exercises. Here is some stuff that helped me to succeed:
Knowing how to exploit Active Directory (AD) is essential for passing the OSCP. But luckily there are some tricks to help you with doing it. The answer here is checklists. Why? Because for both, Windows Privilege Escalation and Lateral Movement in an AD environment, there is only a limited number of possible ways to do it (at least what they want you to know in the exam).
So how do we do it? Easy (well somewhat), you prepare two checklists, one for PrivEsc, one for Lateral Movement. In the exam there will be be three AD machines: One entry, one internal and one Domain Controller. So now you just need to find the initial exploit and afterwards, you take your checklist for PrivEsc and go through each of the methods and try them. After trying each method you mark it as “Successful”, “Definetly not possible” and “Haven’t found a way yet”. Because sometimes you try the entire checklist and everything fails, now you want to know what to try some more and that is when you try the “Haven’t found a way yet”s. After succeeding do the same with the Lateral Movement checklist and so on and so on.
Additionally, you have to know Pivoting and you have to do it without Metasploit, so I encourage you to look at tools like chisel https://github.com/jpillora/chisel and to understand SSH tunneling in depth.
This one is not a novel and secret tip, but I wanted to include it anyways: Use AutoRecon by Tib3rius https://github.com/Tib3rius/AutoRecon . Use it from the first day on, this will allow you to get a feeling for how exploitable and none exploitable recon results may look like.
If you have the time (medium priority for the OSCP, high priority for real job), learn all of the recon tools by themselves. In a real world Red Team engagement there will be no AutoRecon.
Practice it hard, keep good notes and watch the courses by Tib3rius:
https://www.udemy.com/course/linux-privilege-escalation/
https://www.udemy.com/course/windows-privilege-escalation/
While you watch them take note of all the ways shown and compile them into a checklist.
I recommend you do the following preparations:
But to be honest: All of the above might be useful, but the exam will only be passed, if you have studied and prepared really well. Good luck.
If you liked this article, or you want to have a chat about preparing for the OSCP with me, you can find me over on Twitter @secbyaccident. You can also check out all my other stuff on https://security-by-accident.com/.
https://johnjhacking.com/blog/oscp-reborn-2023/
https://hakluke.medium.com/haklukes-ultimate-oscp-guide-part-1-is-oscp-for-you-b57cbcce7440
https://github.com/0x4D31/awesome-oscp
https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide
Also published here.