In December 2022 I took and passed the updated OSCP exam and passed with presumably a perfect score, 110/100. It has been an interesting journey over the last year as I have been preparing. I spent a lot of time on the OSCP subreddit and reading the write-ups from people who had recently passed, on Reddit, Medium, and the like. I don’t know if the world needs another but I figured if they helped me I may as well pay it forward. Today, I will try to detail some of my thoughts and how I prepared for the exam itself.
How We Got Here
In December 2021, I took a promotion at work to join the Product Security Red Team. This entails security assessments and testing of Embedded Automotive ECUs. Penetration testing is not something I had done professionally up until that point. While I had some experience with offensive security during my undergrad and graduate programs, I still had little insight into how an enterprise red team operated.
During my interview and in early discussions with my new manager, he had mentioned that it was important team members to be open to upskilling and working towards new certifications. As I could use more experience pentesting, we set the OSCP as one of my goals for the year. I am really grateful for this opportunity as they also offered to purchase the Learn One subscription for me. After earning the CISSP last year (2021), I also felt this exam would be a good balance as a far more technically-oriented certification
I knew with the Learn One subscription I would want to study as much as I could before attempting the test. However, it is nice to know that you get two attempts. Sometime in late March they purchased the course and I started in. This was an interesting time for Offensive Security and their coursework. I knew I would be doing the OSCP and started looking into it in January of last year, when all of a sudden they changed the exam format to focus more on Active Directory.
This only added to my worry. At work Active Directory is not something I would need to interface with so I knew I had less experience there. I think that diving in, AD and Buffer Overflow were my biggest concerns. Of course, I had also heard all the stories about how notoriously hard this test can be.
Taking the PWK
Admittedly, I did not get the quickest start on the course itself. I think at first I was working through the Pen-100 coursework by accident as I didn’t fully understand the layout of the Offensive Security student portal. Once I figured out that I didn’t need to complete that before starting on Pen-200 I switched my focus. My experience with the PWK is that the course is your best friend to prepared for the OSCP.
I started by reading each chapter and then watching the videos. Honestly, the videos were almost word-for-word the same content as in the chapters. I can see that they may add value if you are a visual learner or to follow along when they do some of the in-chapter exercises, but I think I stopped watching them somewhere around the sixth topic.
At this point, Offensive Security had introduced the new interactive challenges, but the bonus points still required you to completed all the written exercises and document the process along with screenshots. When I noticed all of these exercises were required I started taking detailed notes with Obsidian. I also had to return to the beginning of the course and make sure I read if each practice section was a required section of the lab report.
This lab report is in my opinion a critical portion of your studying for the exam. Ever since they bumped its value and changed the test format, the 10 points can easily be the reason you pass or fail on exam day. Without the bonus points it is impossible the pass the exam if you don’t exploit the full AD network chain. Even once you get the Active directory portion those points completely change your path to success.
That being said, I felt that the written exercises and accompanying screenshots were kind of vague and a slog to get through. So it was certainly a breath of fresh air when Offensive Security changed the bonus point structure so that would get the points after completing 80% of the interactive exercises for each topic and capturing the flag from 30 practice boxes in the Pen-200 labs. These exercises are very well developed and I benefited from the hands-on nature of the course. Notably, some of the written exercises felt like they hadn’t been updated or were for earlier versions of the content.
In this course it is important to know your own learning style. As with any self-guided course, you can only rely on yourself to internalize the content and learn the topics. Therefore, knowing how you commit new information to memory is going to help greatly in determining how to approach this content. For instance, it really helped me to make some notes as I went along, documenting how I did the exercises and creating pages in Obsidian for each of the topics. This will help give you something to refer back to when working on the labs and can be used later to make exam cheat sheets.
I studied the course pretty intermittently for the first few months I had access. I did make a big push in early July when I had some time off. After returning from DefCon in August I knew I had to get serious with my studies. I had read so many reports from people saying they had studied hundreds of hours and had worked through at least that many machines on Try Hack Me/Hack the Box/Proving Grounds. Knowing I also needed to get the flag from 30 lab machines as well, I planned to work on two machines a week while I did the course so I could attempt to take the exam in December.
I figured that if I passed in December it would be nice to have it done in year one and if I failed it would give me enough time to study for another 4 to 6 weeks and then retry before my subscription expired. I have also found that scheduling a date for taking exams helps to motivate me and keep me focused.
A quick note on Buffer Overflow
This topic worried me. Starting with the Windows BoF chapter I felt really out of my element. Because of this I actually skipped these topics so that I could work through them at the end hoping to have these topics fresh in my mind when I took the exam. I think this fear was overstated. There is a lot of good information out there on how to tackle these challenges. I don’t think you need anything more than the PWK course itself.
The topics include interactive and written challenges that will give you lots of hands-on experience exploiting BoF in both Windows and Linux environments. On top of this, there is a very clear methodology to tackling these. This test won’t throw any crazy curve balls at you so the process is similar every time.
- Find the Overflow
- Use pattern create and pattern offset to find the offset for the EIP.
- Check for badchars using mona or even manually.
- Locate a JMP ESP return address.
- Generate Shellcode (don’t forget the NOP sled).
- Fire the Weapon.
The PWK labs are really all you need to succeed on the exam. The 75 or so machines available to you with the PWK course have a great mix of challenges and knowing that some of the boxes are retired exam machines is a nice confidence boost as well. Working in this environment allows you to test out all of the tools needed to pass the exam. There are some tips I learned that helped me.
First of all, don’t feel like you have to do all the labs with no help. I would first recommend starting with a few of the machines mentioned in the OSCP Learning Path.
There is no way you will know all you need to be able to tackle all the machines at this point and it will just be a waste of time trying to exploit them without some hints. These machines are good because they will help you get your feet wet and start to develop a process. I had done some Hack the Box prior to studying for the OSCP but nothing very consistently. Much online is made about creating and following a methodology. Doing these machines with the hints/walkthroughs can help you build out the framework of that methodology.
I know many people will tell you to build templates for note-taking when doing boxes. Here is where that template is built out. If that method helps you then add new tests/scans/checks to your framework as your learn about them in the labs. This way come exam time you will have comprehensive notes about what commands can be run and when. I really thought that Obsidian shined here. Its ability to reference other pages via backlinks and tags allowed me to build a knowledge base that I referred to time and again as I worked though the labs environment.
Along these same lines, as you venture further and further into the labs and start to discover more of the environment do not be afraid to go to Discord or the Forums to look for help when you are stuck. Certainly, give it a shot first, but if you get stuck there is no shame in getting help. The important part here is to recognize where you are stuck and make note of what it was that ultimately got you past that point. Was it a new tool? Some new technique? A service that was unfamiliar? Take the time to understand what it took to get past that point and then start working on your own again.
Even up until the week before the test I would come across machines that I needed help with. But every time it happened I took it as a learning opportunity. As long as you come away from the box with some new knowledge, experience, and techniques then you have made progress. As time goes on you will find that you’ll need that extra push less and less often. This is a good sign. With some experience, you will start to come across low-hanging fruit machines that will take you less than an hour. Maybe even as little as 20 or 30 minutes.
My goal was to get to 30 machines so I would qualify for the bonus points. At first this seemed to be a daunting task. The prospect of popping 2 boxes a week or so became more concerning with every week. As with the exam itself, you have to keep your anxiety in check. Once I started rolling on these labs I got into a groove. There are 2 AD sets in the labs that are 4 machines each. One weekend I think I was even able to check off 9 machines. Combine this with the fact that there are walkthroughs for another 10 on the website and that 30 number is not so bad at all.
I reached 34 flags about 2 weeks before the exam. At this point I decided to take a look at TJ Null’s OSCP-like PG Practice list. On there I tried to focus on doing a few Windows boxes as I felt that this was likely still my weak point. Honestly though I was so happy to have completed all the work to be awarded the bonus points that I kinda took my foot off the gas. I felt that I had done good work doing the labs and all the exercises and that while it might help to do a few more taking some time to just let the knowledge solidify without frying my brain would be beneficial as well.
Don’t feel pressured to cram at the last minute for the exam. I don’t think it can be done. Do the work, study the content, complete the labs and you will be prepared. There is no shortcut to putting in the time. This is why the Learn One subscription is worth it. Unless you come to this exam with some previous experience, the full year to study will be well worth the investment (especially if work is paying).
As I mentioned, in the week leading up to the test I tried to look at PG practice boxes since I heard they may be more representative of the exam structure. I did a couple and used a walkthrough online when I got stuck. That author had write-ups for most of the machines on TJ’s list. So as I was running out of time, I just read the write-ups as a review and a way to round out what different kinds of techniques I had come across. Those can be found here:
There is not much more I can say here. My strategy was to hit the AD set first. Knowing that without it you have to get every other point and the bonus points to pass makes it pretty clear that the AD chain is important. If you have done all the AD sets in the exercises and labs you will be fine.
I spent more time in the labs on Windows boxes because I wanted to be comfortable here and I get less hands-on time in Windows at work. Practice using the tools for SMB, Kerberoasting, and Dumping Hashes. Another thing to make sure you are practiced doing in the labs is pivoting. They have multiple network segments in the labs that are only accessible via tunneling and I used this knowledge on the test.
Try to learn how a technique works, not just a particular tool. You never know what is going to work or not work on exam day. Having the ability to adjust and use different tools will be beneficial.
People say enumeration is key and I agree. I learned during my lab time that sometimes the answer is sitting in plain sight, so enumerate fully and take the time to read the output. Even if it is something you have skimmed through 1000 times in practice you should be reviewing all output from your scans. And don’t forget that enumeration is on-going.
It is easy to run a quick scan and move along. But if you get more access or new credentials, maybe now you can run a credentialed scan as opposed to a non-credentialed one. Does this reveal any new information that you didn’t have before?
For me I was able to get the full AD set in about 6.5 hours. Two hours later I had completed my first stand alone, including with a quick walk to get my blood flowing a little. It took me another two hours and a half to get the next stand alone box. At this point I was feeling pretty good with 90 points. Finally, I came back to the last machine. I had spent some time on it before but with little luck and a few rabbit holes. When I came back I noticed something I had originally missed and then was able to exploit the final box in about an hour. It only took me 25 minutes on this one for the privilege escalation.
All told, I completed the exam in just over 12 hours. Since I started at 7 am I didn’t have to worry about sleeping during the exam. I was elated to have 110 points as my eyes turned towards the report. Before I ended the exam I walked myself through all my notes to ensure I had all the screenshots I needed, and I did end up taking a couple more. I tried to start my report that night, but after about an hour I was losing focus and decided to call it a night and work on the report in the morning.
This entire course was an incredible experience through and through. While some people balk at the cost, it was cheaper than both offensive security courses I took in school and I felt that it covered way more ground. You will learn so much if you put in the work and getting certified is the cherry on top.
Active Directory Attacks