The Journey to Becoming an OSCP

The journey to becoming an OSCP is arduous and requires knowledge across multiple domains. I distill the syllabus into core areas and provide links to training to help you reach those skills
The Journey to Becoming an OSCP
In: Certifications, OSCP Prep, Attack

What is the OSCP?

  • https://www.offensive-security.com/pwk-oscp/
    • Earned upon completion of:
    • Self-paced PEN-200 course
    • 23.75 hours simulated penetration test
    • You will learn:
      • How to think like an attacker
      • Tools and methods used by attackers



Major Changes

ℹ️
Changes occurring on the most recent date nullify any previous changes on past dates. I'm simply archiving changes below.

Nov 1, 2024

Official Announcement

The official announcement from OffSec is available here. The purpose of this change is to focus on Active Directory changes and points earning structure. I'll summarize more below.


Exam Changes

Certification Renewals

  • The OSCP is now going to be known as the OSCP+
  • In the past, the certification was valid for life, but now requires renewal every three years to keep it in active standing
    • The certification can be renewed with continuing education credits or a higher-level OffSec certification exam
    • If the three year window lapses, you are still a lifetime OSCP holder, but lose the + designation

ℹ️
The business logic behind this — in my opinion — is that they're looking to have their certifications recognized by the U.S. federal government, which requires certifications to have a continuous education component. This is why EC-Council's CEH is already on the approved list and I'm sure OffSec would like to compete in this space.

No More Pivoting

  • Pivoting from an external foothold into Active Directory is no longer required
  • OffSec's mindset here is to make the Active Directory assessment completely focused on Active Directory
  • If the student fails to establish the external foothold, they don't have a chance to demonstrate their AD knowledge
  • Instead, the AD challenge now focuses on an internal (assumed-breach) assessment where you are on a host internal to the AD network, tasked with escalating privileges and pivoting through the domain

No More Bonus Points

  • The bonus points aspect of the exam allowed students to pass the exam without compromising Active Directory
  • OffSec believes — and rightly so — that the student should be assessed comprehensively on the material they've studied

Active Directory Partial Points

  • In the past, full domain compromise was required to be granted the 40 points allocated to the Active Directory assessment
  • Now, partial points can be awarded based on targes compromised
    • 10 points for target #1
    • 10 points for target #2
    • 20 points for target #3

New Points Structure

  • 70% is required to pass (70 points/100 points)
  • 3 standalone targets (60 points possible)
    • 10 points for initial foothold
    • 10 points for elevation of privilege
  • Multiple ways to pass
    • Full points from AD + combination of points from standalone
    • Partial points from AD + combination of points from standalone

More Questions?

Please consult the offical announcement for more details.

Apr 18, 2023

Official Announcement

You can read the announcement here. The purpose of this change is to make the learning experience and labs more modular. I'll summarize the most important points below:


Course Changes

I'm not going to cover every thing that was added or removed from the course (you can read the announcement), but I will mention the most notable changes:


Removed

  • Buffer Overflows — simple overflows not realistic
  • Command Line (covered in PEN-100)
  • Bash Scripting (covered in PEN-100)
  • File Transfers (covered in PEN-100)

Added/Enhanced

  • Web App
  • Privliege Escalation
  • Tunneling
  • Active Directory


Lab Changes

  • No more shared environment
  • Follows PEN-300 and WEB-200 exclusive environment model
  • Labs are more challenge-based, progressively more difficult

Exam Changes

  • No buffer overflow machines
  • Any existing content should be expected in the exam (see diagram above)
  • Any new content will be added to the exam six months post-launch

Bonus Points

Please consult the announcement post and carefully read through each scenario.

Jan 11, 2022

This announcement revealed a major change to the exam structure — with the introduction of an Active Directory set in addition to three independent targets.


⚠️
With their Mar. 15, 2023 announcement, there will no longer be a buffer overflow target in the exam environment!


  • Points Required to Pass: 70
  • Points Possible: 100
  • No partial points for Active Directory (AD)
    • Must fully compromise the AD set





What Skills Should I Have for the OSCP?

Don't be this person
  • Most people want to learn how to hack in as little time as possible
  • I mean it sincerely when I say this:
    • There are no shortcuts, no secrets
    • No one is gatekeeping
    • Accept that it's going to take time and work
    • Learn the key skills now before you form bad habits
  • You will thank yourself later when:
    • You know how the attacks work at multiple layers
    • You know how to detect attacks at multiple layers



Required Skill Areas

  • Operating Systems
  • Networking
  • Web
  • Programming

How They Apply to the OSCP

ℹ️
I've taken the start of each section — no subsections — from the syllabus and distributed them into a table based on where the skill fits into different IT domains.

Some sections of the syllabus will fit into multiple columns, while others only fit into one column.



Free Training Resources

ℹ️
You do not need to be an expert in all of the aforementioned areas! You just need to build confidence and understand the technology, tools, and techniques.

I am maintaining a list of free training resources on these topics at this page, and will continue to add to it as I come across more quality links.

Free IT and Cybersecurity Resources
I will try to keep this list continuously updated with training and informational resources for different areas that could benefit students and professionals of cybersecurity and IT





Should I Get Other Certs First?

People have asked me about getting certifications such as the A+, Network+, and Security+ in preparation for the OSCP. And the true answer to that question is, "It depends."

Certifications can be expensive and time-consuming and there are often costs to keep them current.

Weighing the Pros and Cons

I've been in this position before. The idea of certifications is appealing, because they give you structure on what to study from start to finish.

However, certifications can be expensive and time-consuming, so I would narrow it down to this if you're trying to decide on whether to pay for a certification or not:

Will the certification help you immediately with your job search?

Search for the certification on some job sites like LinkedIn or Indeed.

  • Is there high demand for the certification?
  • Are the jobs in the results something you'd consider applying to?
    • If yes:
      • Then, it may be worth obtaining the certification
    • If no:
      • Then, you could study the certification materials and skip the exam





Curiosity: The Most Important Attribute

This is the single biggest requirement to becoming a successful hacker. You need to have the mentality of:

  • What if ________ ?
  • What would happen if I ________ ?
  • I wonder what caused ________ to happen.
  • I don't know what ________ is. Let me research it.

To the curious, nothing is inconsequential. Hackers want to understand how things work, how things are controlled, and how those control systems can be manipulated in unintended ways.



Learn to Break the Rules (Ethically)

Imagine you are looking at an application. You see an input box. The input box says that you may only enter alphanumeric characters. Your curiosity should kick in here. What would happen if you input a special character or an emoji? What would happen if you input 1,000 "A" characters?

Remember! you're testing to certify as a penetration tester and ethical hacker. The difference between an ethical and malicious hacker really boils down to "permission to test a specific scope" and "responsible disclosure".



Learn to Love Research

Your first instinct – when you encounter something you don't know – should be to do some research on Google, Reddit, or other areas of the Internet. There's a good chance someone on the Internet has already asked about it or written about it.



Google Dorks

Google's search has operators that can be used to return very specific results when performing a search.

Some Example Search Operators

  • "keyword" all results must contain this word
  • "some words" return all results with this exact phrase
  • -keyword results must not contain this word
  • -"some words" results must not contain this phrase
  • site:somesite.com return results only from a specific site
  • site:*.somesite.com return results from any subdomain of a site
  • filetype:pdf return results containing PDF files
  • before:YYYY-MM-DD return results before a specific date
  • after:YYYY-MM-DD return results after a specific date
  • after:YYYY-MM-DD before:YYYY-MM-DD returns results in a date range
  • cache:somesite.com check for cached version of a site
  • inurl:keyword results must contain this word in their URL
  • intitle:keyword results must contain this word in their title
  • site:somesite.com file:xlsx inurl:expense you can compound operators
Google Search Operators: 40 Commands to Know in 2022 (Improve Research, Competitive Analysis, and SEO)
Google search operators make searching for things online so much better. Once you’ve mastered just a few of these special commands, you’ll wonder how you



Google Hacking Database

This is a list of Google Dorks used by the community to find vulnerabilities or misconfigurations.

Offensive Security’s Exploit Database Archive
The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for pentesters and security researchers.





Learning How to Hack

💡
A hacker is the sum of their disparate experiences.

Put briefly, two things will make you a better hacker:

  • Experience
  • Time

This is true for any profession or hobby, really. The more experience you gain related to a particular subject matter, the better at it you will you become.

If you're just starting out, be patient and accept that for you to get better at hacking and security research is just a matter of gaining experience over time.



How to Learn Real Hacking

  • There is no one path to becoming a hacker or security professional
  • The highly respected LiveOverflow talks about his journey
    HTML > VBS > Webdev > PHP > CSS > JS > MySQL > SQLi > Android Dev > Google Wave > Computer Science > Linux > HackerSpace > Arduino > CTFs



How the Best Hackers Learn Their Craft

  • A Carnegie Mellon professor discusses how to grow your hacking skills
  • DELIBERATE practice, autodidacticism (self-initiated learning), creativity
  • Don’t shut down when you don’t understand (Google keywords in the problem)
  • CTFs are critical to skill growth (HackTheBox, TryHackMe, etc)





Pentesting Methodology

Applying it to CTFs

1. Client Visit and Scoping

  • For a CTF, think platform rules of engagement
  • Have an understanding of what you may and may not do
  • Be very clear on what your target is
  • Never engage out of scope without permission

2. Intelligence Gathering

  • Passive
    • Finding information about a target in an indirect way
    • No interaction with target systems
  • Active
    • Finding infomration about a target directly
      • Query DNS servers
      • Visiting target web sites, FTP servers, mail servers, etc

3. Threat Modeling

  • Asses the target type and determine some common weaknesses
  • For example, most web applications could use a database, which could lead to SQLi

4. Vulnerability Analysis

  • Directly related to the quality of your intel
  • Based on your interactions with the target systems
  • Check version numbers, inputs, etc
  • What do your findings reveal?

5. Exploitation

  • Use great care and rely on your intel
  • Is there an exploit for the target service?
    • Version-specific?
    • Architecture-specific (32-bit/64-bit)?
  • An incorrect exploit could crash the service

6. Post Exploitation

  • Congrats, you got a shell!
  • Get a lay of the land
  • Privilege escalation, further penetration
  • Repeat the enumeration process (steps 2 through 5)

7. Reporting

  • For a CTF, this could be a blog write-up
  • You'll want to clearly define how you exploited targets
  • Describe the vulnerability
  • Describe the exploit used and how it works
  • Describe any changes you made to an exploit
  • Describe how to prevent exploitation





Getting Hands-On Experience

Knowledge without practice is useless. Practice without knowledge is dangerous.

– Confucius



Key Point for the OSCP

The single most important thing you can do in your preparation for the OSCP is focus on attacking a very diverse range of targets – various protocols, various services, various operating systems, various difficulties, various labs.



OSCP-Like Boxes List

This is a huge list of targets that will give you a similar experience to something you'd see in the OSCP (not identical). You'll see targets in these categories:

  • Vulnhub (homelab, self-hosted)
  • Proving Grounds (hosted)
  • HackTheBox (hosted)
NetSecFocus Trophy Room - Google Drive



Hosted Services

Pros

  • Lab and environment are already set up for you
  • Just bring your Kali VM and get to work
  • Some services also offer a pre-made Kali attack box for convenience

Cons

  • Most will require a fee to use extended features
  • If you use the provided attack box, you're going to miss out on valuable experience setting up and maintaining your Kali VM

Some Providers



Home Lab

Guides I've Written

How to Start Your Home Lab

How to Start Your Home Lab
In this post, I cover the perks of running a home lab, scouting for equipment, and home lab design.
  • One of the single greatest way to develop core IT skills
  • Systems/Network administration and break-fix are easily some of the best ways to learn the attack surface of IT systems



Building a Security Lab in VirtualBox

Building a Security Lab in VirtualBox
In this project, we we will take a look at an in-detail process of setting up an entry-level cybersecurity lab using VirtualBox
  • VirtualBox is a free and open-source type 2 hypervisor
  • If you're new to virtualization, this is the best place to start
  • This guide is great for beginners and you'll get plenty of hands on experience with systems and networking



Building a Security Lab in Proxmox

Proxmox VE 8: Converting a Laptop into a Bare Metal Server
In this project, we will take a look at an in-detail process of setting up a Proxmox home lab on a bare metal server.
  • Proxmox is a free and open-source type 1 hypervisor
  • The Proxmox guide is going to require separate server hardware
  • Proxmox has far more advanced capabilities than VirtualBox or VMware Workstation and would be a great logical next step once you've gotten comfortable with something like VirtualBox





Developing an Attack Methodology

First Things First

⚠️
Get your attack methodology down on individual boxes first before branching out to networks (eg. Active Directory)
💡
It is OK to read write-ups! Don’t let your pride get in the way of your success. If you're stuck for 30 minutes, get a nudge and move on. You don't need to read the whole write-up.



Building Momentum

Developing an attack methodology is usually the most difficult part for beginners, as it can be overwhelming when you're staring at your first nmap scan and trying to figure out what to pick at first.

The key is to get some momentum by starting with the low-hanging fruit. Just start analyzing ports. Look at the service banners in the nmap output and try to figure out what's running on a specific port. Some examples of "easier" services to get started with are:

  • File Servers
    • Protocols
      • FTP
      • SMB
    • Why they're good starters
      • Can sometimes allow anonymous authentication
      • Are great places to enumerate more information for later
  • HTTP
    • Why it's a good starter
      • Easy to assess, just open your web browser
      • Use a tool like gobuster to spider the web server
      • Other directories and files may offer additional avenues



My CTF Methodology

⚠️
Remember, what you experience in a CTF is not a good indicator of what you'll experience on a real pentest.

CTFs are there to teach you about computer vulnerabilities and train you to think like an attacker, like a person trying to bypass control systems.

My CTF Methodology
In this post, I examine the steps I take to approach a typical CTF in the form of a vulnerable target, and elaborate on steps at each phase.





Notes: Your Key to Success

Taking good notes is your key to success with hacking. Not only from a learning perspective where you're documenting what you're learning, but you also need to take thorough notes while you're assessing a target, so you can keep track of important details and screenshots.

If you ask online, you’re going to get bombarded with all kinds of opinions on the best app. Everyone has their favorite, so find what works best for you!

ℹ️
Your note-taking tool of choice should be comfortable and easy to use. A note-taking tool that is frustrating to use only serves to reduce the enjoyment of learning.

Note-Taking Products

Local Notes + Sync

Web-Based Notes Platforms



Note-Taking Methodology

Learning

  • These are your notes that you're writing down while studying course, videos, books, etc
  • Searchable, concise summaries
    • Do NOT write down everything from the course
    • Your notes should be a pocket reference. The information you need should be easy to find.
    • Make a note of key points, figures, statistics, memorable trivia
  • Keep your commands and code snippets formatted with syntax highlighting
  • Diagrams – https://draw.io (free)

Write-Ups

  • Your write-ups for various challenges (Windows, Linux, Web, Binaries, etc.)
  • Have a template that you can clone and fill out as you move through the challenge
  • Consider having a scratch pad where you can copy/paste before the final draft
  • Keep these notes in their own category
    • It's OK for write-ups to be long, with lots of pictures and text
  • You may wish to write some things from your write-ups in your notes
    • Just keep them brief, nicely formatted, and easily searchable





Roadmap to OSCP

⚠️
This does not guarantee that you will pass the OSCP exam. Use this for what it is – a generalized path to preparing for your OSCP exam.

This assumes you're a complete beginner, so you can start at whichever step in the roadmap suits your skill level:

Core Skills Checklist

This is not an exhaustive list of everything you need to know, but it should be a good basis of determining your proficiency.

Systems

  • You'll need to know a variety of operating systems for the OSCP
    • Windows
      • Windows XP
      • Windows7
      • Windows 10
      • Windows Server
    • Linux (Debian and RedHat derivatives)
    • BSD
    • Possibly more
  • Be comfortable in the terminal
    • Bash
    • PowerShell (and CMD)
  • Know how to list the users and groups on an operating system
  • Know the file system hierarchy on various operating systems
  • Know how to get the current operating system version and kernel
  • Be familiar with the Windows Registry
  • Know how to list installed hotfixes on Windows
  • Know how to check and modify permissions and ACLs
  • Know how to check, create, and modify scheduled tasks
  • Know how to list running process and services
  • Have a basic understanding of how Active Directory functions
    • Know how to work with AD in the shell and GUI
    • Know the difference between a local and network user
    • Know the difference between a local and network group
    • Know the difference between NTLM and Kerberos authentication
    • Know how to check various AD policies and configurations
    • Know how to query DNS records
    • Know how to query LDAP

Networking

  • You don't need to be a subnetting wizard
  • Given an IP address and network mask: know how to figure out your IP address space
  • Know how to query and configure network interfaces on the command line
  • Know how to read a routing table on the host
  • Know what ARP is and how to read an ARP table
  • Know how to list listening ports on a host
  • Know how to pivot to internal networks when your target has mutliple interfaces or routes
    • Proxying
    • Tunneling
  • Know how to forward individual ports
  • Be familiar with the OSI model
  • Understand the fundamentals of TCP/IP networking

Web

  • Know the most common HTTP request methods
  • Know the most common HTTP response codes
  • Know some basic HTTP headers and how they work
  • Know the basic functionality of a web server
  • Know how to make HTTP requests from the command line
  • Know how to use Burp or some other web proxy
  • Know how DNS works to resolve hostnames to IPs
  • Know how DNS hostnames correlate to virtual hosts on a web server
  • Know how to modify your hosts file on your attack box
  • Know how to modify your DNS settings on your attack box
  • Be familiar with SQL and NoSQL databases
    • Have basic proficiency in SQL
    • Understand SQL injections

Programming

  • You don't need to be a full-time engineer or a computer science wizard
  • Have some basic proficiency in AT LEAST one of these object-oriented languages:
    • PowerShell
    • Python
  • Have a basic understanding of primitive data types in programming
  • Know how to use flow control logic (conditions)
  • Know how to use loops
  • Know how to read, create, and edit scripts and exploits
  • Know how to compile public exploits
    • 32-bit
    • 64-bit
  • Know how to read and understand error messages when your scripts fail
    • Google the error messages when you can't figure it out



Hands-On Practice

Develop Your Attack Methodology

Target Variety

  • Get lots of practice against a wide variety of operating systems
    • Windows
      • Server 2008, 2012, 2016, etc
      • XP, 7, 10, 11
    • Linux (Debian and Red Hat derivatives)
    • BSD
  • I'd highly recommend TJ Null's OSCP-like boxes list for both hosted and home lab targets

Hosted Environments

  • The OSCP-like boxes list focuses on:
    • HackTheBox
    • Offensive Security Proving Grounds
  • Again, if the goal is variety, I'd try to do targets on both platforms
  • Both of these platforms offer Linux and Windows targets
    • See below for Active Directory recommendations

Home Lab

  • The OSCP-like boxes list focuses on Vulnhub exclusively in this category
  • My Home Lab Guides will show you how to host vulnerable home lab targets in a secure way
    • Vulnhub is simply massive, with tons of targets
      • Unfortunately, you won't find any Windows targets here
      • But, it's still an excellent place to perfect your methodology
    • HackMyVM
      • This is a newer site that allows the community to share vulnerable targets
      • They do have vulnerable Windows targets
      • Vulnhub was acquire by OffSec and hasn't seen any recent VM releases, so do check out HackMyVM for more current targets



Active Directory

  • Get comfortable with the Active Directory exploit chain
  • Active Directory is just an extension of Windows fundamentals
    • You'll need your Windows methodologies
    • And, you'll need to understand the core function of Active Directory

Attacking Active Directory

Basic Pivoting Practice


Fantastic Comprehensive Module


Practice Active Directory Networks


Cheat Sheets





Dealing with Impostor Syndrome

When it comes to computer security – and really any other profession – you are always going to encounter people that make you second-guess yourself. It’s important to stay focused on your journey and stay motivated.

  • Remember, when you see someone very skilled:
    • You're seeing a person at a snapshot in time
    • You're not seeing how long it took them to get to this point
  • Some people just learn faster than others (and that's OK)
  • The only comparison to make is your current self versus your past self
    • Do I sometimes feel inadequate when comparing myself with others? Yes!
    • Have I made progress more quickly than I thought I would? Also, yes!
  • There's a lot to learn and there will always be new things to learn
  • Be kind to yourself and remember to give yourself time to relax too





More Pages to Check Out

Penetration Tester Job Role Path | HTB Academy
The Penetration Tester Job Role Path is for newcomers to information security who aspire to become professional penetration testers. This path covers core se…
Introduction · Total OSCP Guide
The Journey to Try Harder: TJnull’s Preparation Guide for PEN-200 PWK/OSCP 2.0
Table of Contents: Overview Dedication A Word of Warning! Section 1: General Course Information Section 2: Getting Comfortable with Kali Linux Section 3: Linux Command Line Kung-Fu Section 4: Essential Tools in Kali Section 5: Getting Started with Bash Scripting Section 6: Passive Reconnaissance Section 7: Active Reconnaissance Section 8: Vulnerability Scanning Section 9: Web Application Attacks Section 10: Buffer Overflows for Windows and Linux Section 11: Client-Side Attacks Section 12: Working with Public Exploits Section 13: Transferring Files to your target Section 14: Antivirus Bypassing Section 15: Privilege Escalation Section 16: Password Cracking Section 17: Port Redirection and Pivoting Section 18: Active Directory Attacks Section 19: Metasploit Framework Section 20: PowerShell Empire Extra Resources Setting up your Pentesting Environment Wargames/Hands-on Challenges Capture the Flag Competitions (CTFs)/Cyber Competitions Bug Bounty Programs Vulnerable Machines Tips to participate in the Proctored OSCP exam Other Resources Conclusion
More from 0xBEN
Active Directory Attack Map
Attack

Active Directory Attack Map

In this post, I share an attack path diagram I've created to aid in preparing for and attempting the OSCP and/or PNPT certifications.
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.