Showdown With The OSCP Exam

There is not much else to say about the OSCP exam that others haven't already covered in their personal stories and blogs that you can read about however I'd like to provide my perspective for others in order to motivate or encourage them to chase their goals even when not directly in the industry.

by Johann Van Niekerk

Showdown With The OSCP Exam

Share

oscp

Have a read of my review over the course itself

It has been a couple of weeks since sitting and passing the exam (26th August 22) and I have taken some time to reflect on the journey and its eventual conclusion.

There is not much else to say about the OSCP exam that others haven't already covered in their personal stories and blogs that you can read about however I'd like to provide my perspective for others in order to motivate or encourage them to chase their goals even when not directly in the industry.

I am a banker. I've been part of various lines of businesses within large corporations & banks; customer service, sales and analytic roles and my day job is still within the bank however my passion and goals are within cyber security.

I have zero professional background or experience within IT (only personal experience tinkering with computers & networks since I was a little kid) and I do not have a developer background either however I had clear, achievable goals that I set for myself that allowed me to incrementally get the experience to succeed and I'd like to pass on that perspective so that others can do so as well.

The Rundown On The Exam

The Weeks Leading Up To The Exam

The Months Leading Up To The OSCP Course

Completed all TryHackMe Learning Paths certificates including:

Various machines through vulnhub, tryhackme, hackthebox and so forth through out the journey.

Prior to jumping in the deep in with this journey, I made it a priority to teach myself programming with Python in order to get better with code review & exploitation.

So, How Was The Exam?

This is more of an opinion piece but I found the exam challenging but easier than I had built it up to be. I made the mistake to read a lot of failure stories through reddit and discord that were somewhat helpful (general tips for behaviours) but the negatives definitely outweighed the benefits of those tips.

The exam was this thing on my mind that was eating away at me as I was leading up to finally sitting it. It even affected me during the exam as the failure stories was eating away at my confidence but after I overcame that mental perspective; all the walls came crashing down and I could see what I needed to do.

The AD portion was my most difficult part and that was in part due to my own mistake of not paying attention to what I was doing (a lesson in learning to copy/paste correctly) but after the AD section was over I had a sense of relief and each sequential machine was understandable and methodical.

There was no game plan after the AD machines. I had 10 points from the course and the AD section was worth 40 points so I only needed another 20 points to get to the passing stage. My train of thought was just to select a machine and go for it.

From here, the challenges were technical and difficult but not impossible and required a bit of higher perspective and almost like looking at it from third person or top-down to assess how the ports and pieces all fit in the overall picture.

I felt I was in a good state of mind and I opted not to use any tools or scripts that was especially verbose or unnecessary. I did not use autorecon, linpeas, winpeas and other similar vulnerability checks and reserved those for if I became truly cornered. I stuck with manual enumeration and it paid off as all the pieces came together.

After 9 hours I was done and was going to sleep but the high was too much so I sat down and wrote my report as well. Completed the report then went to bed and then woke up, proofread and submitted the report in the morning.

Would I Do Anything Differently?

I would've stopped reading so many posts and blogs about peoples failures. This is definitely more of a personal aspect and whether you take that information on an emotional level but I thought that reading them was beneficial (and to an extent they were) but I should not have been so focused on it and thereby giving me undue stress before and during the exam.

I would've sat the exam earlier but there was holidays & life commitments that delayed it somewhat and again this was in-part due to me reading and onboarding a lot of that stress that made the exam a bit of a monster in my mind.

I would've tried my hardest to change my mindset about points. This one was a surprising factor (and even made me feel sick when I tried to eat lunch) in that I was so focused on needing points and getting the pass that my mindset was thinking about that and not the challenge that I am actively doing. I don't know how I would've avoided this but my struggles initially was due to how the "points" was at the forefront of my thinking and it impacted my ability to problem solve; this ended up costing me quite a bit of time by missing simple things.

It is difficult to say if the path I followed with getting eJPT and eCPPT prior to entering the OSCP course was correct but for me personally it made a large difference in having experience sitting a pentesting exam that meant I was relatively cool-headed. Additionally there wasn't much overlap in content as eCPPT had its own difficulty but the experience was helpful nonetheless.

I feel the OSCP is achievable without getting other certs first but it will be more difficult and may take more time. The course did include everything that was needed to understand but you definitely needed to hone and practice those skills inside and outside of the course/labs.

Should I Avoid Walkthroughs or Hints?

This is regarding walkthroughs or hints for challenges through Proving Grounds, HackTheBox, TryHackMe and the OSCP lab networks.

I am asked this question often and depending on the time of day/day of the week or coffee I've had; my answer likely changes because there are benefits to both and sometimes I place value on one over the other. I used a lot of walkthroughs but I made it a point to only do so after I've given it my best; the main point was that I was using them to learn concepts I didn't know how to research or understand. (Or didn't occur to me)

You cannot google or enumerate your way to a concept or idea that just hasn't entered your brain yet but you also need to develop your confidence in being able to research and filter for important information and verify possibilities.

You should use walkthroughs to discover information that you did not previously have and you should only do it after you've tried to research yourself. The struggle is an important skill and like all skills; it needs to be developed with practice.

Some Exam Tips

Nothing extensive and nothing breaking any professional NDA or policy but the following is some tips that would benefit some of you. I would recommend only adapting what you think will be helpful and discard anything that impacts your own methodology.

linpeas, winpeas, adpeas & So On..

This one entirely depends on how you have developed your methodology. If the first thing you do when you compromise a user is to load these auto-enumeration scripts, and you have become efficient and productive when using them then stick with it and don't change anything. They are amazing tools and a great way to tick off all your boxes especially when you are comfortable with them.

Personally I didn't want to be overwhelmed and I wanted my mind to be focused on what I am testing for. I ran winpeas once but immediately regretted it and dropped it as it was just information overload. I have used winpeas plenty of times in the past but while in the exam I felt it was especially verbose. I stuck with manual enumeration through out and it was the method that worked for me. The main tip here is that if you are like me and want to keep yourself grounded in what you are testing for then leave those tools for the last thing you do. Only run them after you have checked out the lay of the land and done your personal checks.

Take Those Breaks

You will run out of ideas before you run out of time. Take the breaks to clear your head and return with a new perspective. I didn't notice my mistakes with my initial checks until I came back with a clear mind. It is important to remove yourself from your train of thought so when you come back to it; you aren't stuck with the wrong ideas but looking at the problem in a new light.

Enumerate

Sick of hearing that word yet? The reality is that it will be your biggest asset to your success. You are in a 24 hour exam that has placed a mountain of stress on your shoulders. It has impacted your behaviour whether you notice it or not. The way to overcome that is to stick to your steps that you've trained. Enumerate everything. Google anything. If you find interesting bits then think it through and see if you can connect the dots and find information on it.

If It Looks Like A Rabbithole....

Then it is probably a rabbithole. Looking for the correct path takes time and information. You are short on time so make sure you make use of all information you have. If it appears like the exploit is complicated beyond what you would think is OSCP-level then still do your checks and move on without wasting too much time.

If you found something that appears abnormal then investigate it further but make sure you grab the information that you need to confirm it such as version numbers and so forth. Some times you will encounter vulnerable versions but the exploit path has been patched up. You just need to think about how long you want to spend and then move on and circle back to this after you are out of ideas.

Active Directory (Room, meet Elephant)

Difficulty is always subjective but remember that the course work has everything that you need to think clearly and exploit it. It won't be handed to you on a silver platter but you need to be comfortable with being able to query and enumerate Domain Controller ports and how to query the domain through a compromised user.

I recommend being able to practice against as many Domain Controller machines as you can and get familiar with how you can pentest against those standard DC ports that always show up. Once you have that confidence with the OSCP content and practice with those machines then you won't panic when you finally have to target the AD network. For active directory, the first set of credentials opens up an enormous amount of possibilities, so you're hunting for vulnerabilities or users/credentials.

Keep It Simple Stupid

I've always been one to enumerate first then exploit after. My enumeration steps is to keep it simple and get any valuable information that I can get. From there I would look at possibilities and start ruling some out. Don't get stuck down exploits that appear too involved or complicated right from the start; instead opt for checking all the low hanging fruit and then progressively become more intense with your checks. Keep it simple!

Careful Notetaking & Enumeration: Watch S1REN's walkthroughs or attempt the machines then watch them

Methodology: Watch a professional Red Teamer Alh4zr3d complete hacking challenges

Practice: TJNulls list was great as a guide for OSCP practice.

Practice: Offensive Security's Proving Grounds was by far the best resource apart from the course labs

Practice: TryHackMe was not particularly helpful for my practice but enumeration and confidence was still a boost

Practice: HackTheBox had some great machines that allowed practice against active directory

Before Your Exam

Proctor Exam

The OSCP exam is a proctored exam and I would recommend making sure you do your due diligence in checking if your system hardware is going to work perfectly. https://help.offensive-security.com/hc/en-us

Depending on how you are running your setup, make sure that you can have your VM running along side the Offensive Security webapp that will be loading your webcam and using system resources in the background. It did not have much performance impact for myself but I recommend before you sit your exam; reach out and email the proctor team and request to trial/test the webcam setup.

Make sure everything works so you don't have to worry on the day!

Don't Update Anything

The last thing you want to do is update the system/kernel or tools and find out that it is spitting errors or not working as it did just a few days ago. Don't update your system without being able to heavily test its functionality and that there isn't a threat of it dying on you.

Read The Objectives

You will be provided everything when the exam starts and a link to the student panel that contains the objectives; so take some time to read it. There is important information in the Objectives that will clear things up and hopefully save you a lot of time. This is not a black-box test and you have to discover where to go; the objectives will give you useful information.

Keep Your Mind Fresh

The couple of weeks leading up to my exam I made a point to try and tackle as many machines as possible and especially targeting my weak points. I ended up doing a few linux machines on PG Play:

alt

However my weakness I felt was definitely Windows as I was already very comfortable with Linux. So I focused the majority of my targets to be Windows based:

alt
alt

This isn't a complete list and doesn't include HTB and THM but the majority of these machines were from TJNulls list.

Organise Your Notes

It is a given that you will need clear and concise notes for your OSCP journey and beyond. Having a flexible note taking tool is important but you need to make sure it fits into your work flow.

For myself I found Obsidian to be the best for me. I've always written using markdown and prior to switching to Obsidian I was using VSCode for both coding & for note taking. It worked... but it wasn't great.

If you have time you can read more in-depth about my recommendation for obsidian here.
The idea that I found really useful is the ability to control my workflow through quick searching and by placing my notes within categories using tags. That way I am always able to refer back to some examples of attacks I've completed in the past.

Here is an example of my work flow and the reason I stuck with this note taking tool.

workflow

Whichever way you do your notes, I recommend making sure you take screenshots and write details notes for yourself as if you are teaching yourself from start to finish. The reasoning is that you may not remember it all 3 months later so being able to rejog your memory very quickly is valuable.

Additionally make sure you have comprehensive cheatsheets for commands and enumeration. The below is an example for when I am checking kernel information and as you can see I leave myself notes to remember and commands to execute.

kernel

Final Word

I've recently been asked by fellow students about when I felt I was ready and the answer was that I never was. I wasn't ready and I didn't feel like I had enough practice or I didn't feel like I knew everything but I was confident in my ability to enumerate and ability to google and understand what I am looking for.

This was a difficult question to answer because I don't think anyone is 100% ready when they sit it because in the back of our minds we are thinking and expecting the worst.

I kept telling myself "maybe I need another week of practice or what if I do just 1 more week of study or what if that next machine has an exploit path that shows up..." but none of that really mattered.

When I first started OSCP in April, I had a goal that I needed to get this done by November. I checked exam retake times and there was the requirement to wait 6 weeks before another attempt and this was the big factor that I just jumped in to my exam attempt because the timing was becoming thin.

In the end it worked out great but as I mentioned, you don't really "feel ready" for the exam however you have to go for it. Practice and believe in your problem solving then go get your OSCP.