Howdy. You’re probably reading this because you’re either taking your OSCP exam soon, just starting your journey and don’t want to waste time learning things that don’t apply to the exam, or you’re just curious to see what the 10,000th person to post a “How I Passed My OSCP Exam” article has to say. Regardless of your reasoning, you’ve come to the right place.
I’d like to start off by saying I’m not an English major. I don’t write for a living, I hack things. I tend to type like I talk. If you’re looking for an article that’s so well-written it could be published in the New York Times then you may want to keep looking 🙂
I won’t be posting technical details about the OSCP exam and I’m not doing a comprehensive review on every step of my pentesting methodology and every single knowledge source and toolset I use (though I’d be happy to write one if requested!), but I’m happy to share what I believe is a solid enough roadmap to get you where you need to be if you put in the work. If you want the entire bottom line up front (BLUF) / Too Long Didn’t Read (TLDR) scroll to my conclusion/parting words, I’ll sum it all up down there.
Let’s get to it.
At the time of writing this I’ve been in the U.S. Military for nearly seven years in the cybersecurity field. My entire time has been focused around defensive operations, so while I have some computer experience not much of it applied to pentesting or my OSCP journey.
All-in-all, I failed the OSCP exam thrice and passed once. I didn’t have too much of a desire to go through Offensive Security’s Pentesting With Kali Linux (PWK) course or take the OSCP exam, but my employer had a few extra vouchers for 90 days of OSCP lab access and the exam and offered me one of them. I can write an entire article on the following couple of years and my exam failures, but that’s not the focus of this post. To sum up a long story, work kept me busy and burnt out and I didn’t put as much effort into OSCP as I did on my last go-around. In the last few months I separated from the military and got a pentesting gig, which although the work I do didn’t contribute much to the exam, having the option to play on Hack the Box and all those other hacking sites during the workday (if I have downtime) really helped a lot.
I didn’t take note of how many boxes I’ve rooted from each site like a lot of people on here do, so I can’t provide any concrete stats. I popped almost every box in the PWK labs (excluding the additional subnets), I knocked out about half of the boxes on TJnull’s OSCP-like HTB list (I’d recommend knocking these out as well) as well as a good 15–20 or so active easy/medium boxes over the last year or two, I’ve knocked out a ton of rooms on TryHackMe (extremely valuable resource), and a good 10–15 boxes on OffSec’s Proving Grounds (PG).
As a final note before diving into the details, I want to mention that this is in no way, shape, or form a comprehensive guide. This will not take you from zero-to-hero in two months. Honestly, over the last two years of trying to get this certification I didn’t change my methodology all that much. All that changed was how much time and practice I was dedicating to this beast. I looked back at my first few exam-attempt notes the other day and almost instantly found where I went wrong and what I could have done to pass. You may not understand everything right now and just blindly execute payloads and run tools you don’t fully get, but as long as you put in some effort over time it’ll start coming to you and you’ll look back on your past self and realize how far you’ve come. No guides or tutorials can substitute time and effort.
Active Directory (AD)
I’ll get right into the section that I know everyone on the OSCP Reddit is freaking out about the most. There’s a lot that goes into Active Directory, and if your end goal is to become a stellar penetration tester I’d recommend picking up a book a learning all about it. But, if your goal is to pass the OSCP exam run through the resources I’m listing here and you’ll be more than ready.
In my opinion, the AD section in the PWK guide is a bit convoluted. It goes through a lot of manual PowerShell scripting to conduct your LDAP/Domain enumeration, which is a great thing to learn but is a bit much for the exam. If you’re in a time crunch I’d put it on the backburner.
Top AD Resources:
- TryHackMe : Attacktive Directory
- PWK Labs : Both AD sets
- HTB : Any AD box (Forest, Active, Sauna, Cascade, etc.)
- TryHackMe : Any room that comes up if you type “Active Directory” in the search bar.
- https://ippsec.rocks/?# : Type “active directory” in the search bar
TryHackMe was honestly the most valuable resource I’ve used for learning AD attacks. There are plenty of rooms that teach you everything you need to know. A premium membership is super cheap, even signing up for just a month or two is an amazing investment in yourself. Take notes of each type of attack, the tools/commands involved, when to use them, and what the attack requires. I have a OneNote that has an entire page dedicated to AD attacks and enumeration vectors. I have them all grouped by which ones can be run remotely (GetNPUsers, GetUserSPNs, kerbrute, etc.), which ones have to be run on target (i.e. Bloodhound, mimikatz.exe, rubeus.exe), helpful mimikatz commands, and some helpful domain enumeration scripts (PowerView.ps1, PowerUp.ps1, etc).
Not much to be said about the PWK AD sets. They’re helpful because most sites will only provide a DC to attack rather than a whole network, but PWK offers AD sets that have three boxes per domain. Try it out, take notes on what you did.
Hack the Box was another good resource for AD boxes. The four I listed above should be enough. I’d highly recommend running through a writeup of Forest. LDAP enumeration was something I’ve never come across. 100% recommend it. ldapsearch is a tool that can really help you out if you feel like you’ve enumerated everything, maybe you’ll get lucky and come across some creds or something in LDAP.
IPPSEC’s website is great. If you haven’t heard of him, check his site and/or YouTube channel out. He has a YouTube video on almost every HTB machine out there. He does a killer job at explaining everything and you’ll learn a lot of tips and tricks from him. You can type anything into the search bar on his site and it’ll pull up all of the related videos, tutorials, etc that he has on the topic. There were plenty of days where I wouldn’t feel like booting up my kali box and popping a box so I’d just watch a 20–40 minute IPPSEC video on YouTube and take note of what he did or any techniques I wasn’t familiar with.
My Sample AD Methodology (Not Exam-Specific):
- NMAP scan the AD set → Make note of open ports (anything that can give you remote access (SSH/RDP), webservers, FTP, AD specific ports (SMB/LDAP)
- enum4linux/smbclient each box with no creds (to list shares, see what’s in each accessible share, and possibly list users/groups/domain name)
- Add domain name to “/etc/hosts” file
- ldapsearch (start general, then dig deep. You might find users/creds/account roles)
- Run some remote AD tools for enumeration purposes (kerbrute for username enumeration if you didn’t get any through LDAP/SMB, GetNPUsers, GetUserSPNs, secretsdump, etc.)
- Have you found users/creds yet? Try them if SSH/RDP is open, or try psexec/evil-winrm, possibly use them to log into a web portal
- If you haven’t gotten a shell yet, enumerate your initial access vectors (usually a webserver or vulnerable service), get low-priv shell (if you’re lucky, maybe an administrator/system shell)
- Typically, most AD-specific attacks (or mimikatz.exe) will be useless if you’re not an elevated user. Privesc to Administrator or SYSTEM (not touching on that in this section)
- Once you’re an elevated user, enumerate.
- Upload and execute Bloodhound (SharpHound.exe is what gets uploaded to target) for visual domain enumeration (super useful, even shows you the quickest paths to Domain Admin and who can be kerberoasted/as-rep roasted). BloodHound is also sometimes useful as a low-priv user, use it if you’re stuck. Just remember to re-run it when you successfully privesc.
- Upload mimikatz.exe (this is the money shot). Use the command cheat sheet you made from some of the TryHackMe rooms and dump creds/hashes. If nothing useful gets dumped move onto some of the other attacks like Pass-the-Ticket (PTT) or Over-Pass-the-Hash (OPTH) and try it again or try authenticating to another box’s domain resources with your new ticket.
- At this point you should have at least a few usernames, passwords, and/or hashes to run with. Use crackmapexec to test if any of these combinations work on the other boxes.
- If crackmapexec (CME) comes back positive, use psexec/evil-winrm to spawn a remote shell to the box. If that doesn’t work and you have valid creds, see if you can use them to SSH/RDP into the box, or maybe use these creds with smbclient and see if you can pull any sensitive data from the share (could contain passwords).
- Any time I get creds that I verified work on another box I’ll re-run all of the remote AD tools against it with the creds (GetNPUsers, GetUserSPNs, secretsdump, etc).
- Once you have access to the next box do it all over again. You may get lucky and get domain admin creds from the first box, or you may have to privesc again and re-roll through the process. This is where Bloodhound comes in handy, it’ll show you what permissions the accounts have that you found creds for. Some creds may work on multiple boxes, use crackmapexec to verify the creds with EVERY IP in the domain, don’t stop at the first box that works. Don’t forget to check the permissions/groups your current user is in. You may not find creds to another user, but your current one may have special permissions that allow you to modify access to resources, run certain processes as SYSTEM, or create new users or add them to certain groups.
Obviously that was a pretty oversimplified methodology, but my goal is to provide a roadmap, not a cheat sheet. This was the longest section I wanted to cover so I included it first. I’m going to keep the next ones short and sweet. Also, note that I’m not providing links to every resource/tool I used. A huge portion of pentesting is knowing how to Google things and do research. Most of the courses I listed will provide links to everything you’ll need though.
My recon and service enumeration methodology is pretty simple. I’ll run an nmap scan, then google “<xyz service> pentesting” and 9 times out of 10 will click on a link from book.hacktricks.xyz or “<xyz service> exploit” if I can find the name and version.
sudo nmap -n -v -sT -A <IP> -Pn sudo nmap -n -v -sT -A -p- <IP> -Pn sudo nmap -n -v -sT -A -p<ports discovered> <IP> -Pn — script vuln sudo nmap -n -v -sU -Pn <IP> sudo nmap -n -v -sU -p- -T5 -Pn <IP>
If FTP is open try connecting to it with anonymous creds (anonymous / email@example.com) and see what you can find. If it looks like it’s linked to a webserver of some sort try uploading a reverse shell to the FTP server and execute it in the browser. Or maybe it’ll have functionality that auto-executes uploaded files periodically.
If SMB is open try the techniques mentioned in the AD section: enum4linux and smbclient. See if you can get usernames, groups, passwords, sensitive files, groups.xml file for password cracking, etc.
If LDAP is open use ldapsearch to find potentially sensitive info.
If you find a webserver try using nikto (for server enumeration), dibuster/gobuster/dirb (to identify directories), wfuff (subdomain enumeration), manually walk through the application, etc. If there’s a login portal try default creds for the CMS or search for creds elsewhere. Google exploits for the CMS or server version. Try LFIs/RFIs. If the website has upload functionality experiment with uploading webshells or reverse shells.
Any other services just google “<xyz service> pentesting” and follow along. If they have remote/login capabilities see if you can find creds in the service, or default creds on Google, or use previously discovered creds.
Buffer Overflow (BOF)
I’m not going to write anything too detailed on this. The PWK guide has a good section on the BOF, but it’s really lengthy and very labor-intensive. I ran myself through this one: https://tryhackme.com/room/bufferoverflowprep and it was more than enough for me. It helped automate finding the bad characters (literally knocked off a good hour not restarting the app 30 times to get each bad char). Add a section to your OneNote and copy the steps word-for-word from this THM room and you’ll be more than ready if you’re lucky enough to get a BOF on your exam (just remember, the new BOF machines don’t give you instant SYSTEM, you still have to privesc).
Privilege Escalation (Privesc)
Privilege escalation was always the hardest aspect of pentesting for me to grasp, but I’ve definitely improved over the years. An important thing to note here is that the PWK guide barely teaches privesc, then the PWK labs focus more on vulnerable services and easily identifiable items that always pop on enumeration scripts, then the exam focuses more heavily on service misconfigurations that aren’t easily researchable. They’re testing you on your ability to assess the situation and get creative with your process. Not necessarily just Googling “<xyz service> privilege escalation”. Chances are you’ll find multiple possible avenues for privilege escalation. If one of them has a tutorial on Google it’s probably not the one. If you have your enumeration bases covered, you should at least be able to identify which service it is that you’ll leverage for privesc, you just might not know how to attack it.
My (Rough) Privesc Methodology:
- Use linpeas or winpeas to identify some possibilities. linpeas is usually more helpful, but winpeas is still good. Learn how to parse the output.
- If you found any potential services, check tasklist / ps -ef to see if they’re actively running (and who is running them), and check where the file is running from
- Check cron jobs or scheduled tasks to see if any interesting custom jobs are running
- Can you replace the binary with a reverse shell? i.e. if it’s currently running, rename it, upload a reverse shell with the original binary name, start an nc listener, then type shutdown -r to reboot the box and restart the service.
- If linux, type ‘sudo -l’ to see if you can take advantage of any sudo commands (use GTFObins if you can sudo a command)
- Check /opt or Program Files to see if any additional third party software is installed. If so, see if there are any passwords in the configs anywhere. Same with the web server. If it’s linux you should see something in /var/www/html.. Check the files in there. linpeas or winpeas should indicate whether or not there’s third-party software installed.
Obviously there’s way more to privilege escalation than this, but this is a good starting point. Most of it is just running through HTB, THM, and PG boxes and taking notes on what you do. I like to organize my OneNote privesc pages into category based on type of privesc (i.e. Unix — sudo, SUID, kernel sploit; Windows — juicy potato, AlwaysInstallElevated, group privilege abuse, etc). TryHackMe is a good source for learning privesc, just type “privilege escalation” in the search bar and run through a few of those rooms. I know a lot of people mention Tib3rius’ Windows and Linux privesc courses on Udemy if you’re willing to shell out $20 per course. I haven’t paid for any formal courses but they’re both very highly rated.
The exam is 23 hours and 45 minutes. It may sound like a long time, but it does pass pretty quick. For example, once I popped the first box in the AD chain my brain shut down and I couldn’t figure out the next move for ten hours. This was a huge chunk of time that I could have better used on some of the other boxes. I’d recommend drawing out a timeline allowing yourself some contingency planning (like getting stuck on a box for 10 hours). I like to split the exam in half: about 12 hours for the AD chain and then four hours per standalone box. Assuming the AD chain goes relatively quick for you, this gives you a little bit of extra time for food/drinks/snack/walks.
Food. The last thing you want is to start getting hungry and have nothing at home. Go grocery shopping the day prior, and if possible cook some meals and put them in some Tupperware containers so you can have a quick hot meal ready, or grab some frozen meals from the freezer section. If you normally drink caffeine have plenty of coffee or energy drinks on standby. Track your consumption though, it’s easy to accidentally drink too much. Have some snacks/junk food ready at your desk. I have a nervous stomach so I really wasn’t hungry. I had to force down some gummy worms just to get a few calories and get a little extra brainpower. Don’t forget water, drink plenty of water.
Breaks. Don’t forget to take breaks. I set a time limit on each box and set plenty of quick 5–10 minute breaks so I could take a quick walk and get some blood flowing through my body again. However, because I’m so stubborn if I thought I was close to figuring something out I’d sit at my computer three hours over my scheduled breaktime. This is very bad practice. Take breaks. It’ll help refresh you and get your creative juices flowing again.
Take good notes. Scratch that, take GREAT notes. I used OneNote for my note-taking program. I really like the aesthetic of it (I use the 2016 version), the tabs make it really easy to organize everything. Prior to my exam I created a little template with some NMAP scans and commands to run if X service/port is open and then pasted it into a new tab for each IP on the exam (a total of six tabs). For each host I made created a few sub-tabs: the NMAP scan output, the “dirty” notes, a tab to easily recreate the exploitation steps (this was my most useful tab), and a tab just for the proofs. I also created an AD section where I included all of the usernames, passwords, and hashes I found, what IPs they work on, how to use them to gain remote access, and then the flow of exploitation through the entire domain.
TAKE SCREENSHOTS OF THE FLAG AND IPCONFIG/IFCONFIG OUTPUT IN ONE PICTURE. The last thing you want is to forget to take a screenshot of your flag, especially without verification of the box you’re on. I even went as far as including the ‘whoami’ output.
Prior to ending your exam, revert all of the boxes in the exam environment and run through the exploitation steps from your exploitation steps tab. Don’t assume the graders know how to do anything. Whatever you type is what they do. If they can’t copy/paste all of your steps you’ll fail. So make sure you don’t have any typos or missing commands/screenshots.
I severely underestimated the time it’d take to write the report. I ended my exam at 10am on a Friday, ate some food, slept until 4pm, hung with my family until around 7pm, then was up until 4:30am working on the report. Don’t be like me. I just used the report template OffSec provides. It was a little cluttered and hard to format (I’m terrible with Microsoft Word) but it did the trick. Get some sleep after your exam, then go right into the report. Don’t wait too long. Or, if you finish your exam early it could be worth it to get a head start. Either way, you have 24 hours after your exam ends to submit your report so make sure you factor that in.
All-in-all, OSCP was a pretty fun cert to get. For whatever reason the people trying for this cert have turned it into an entire community, so whether it’s on Reddit or the OffSec forums you always have some sort of support while going through it. And once you successfully complete the exam and earn your badge, the weight off your shoulders feels amazing.
To sum up most of this article here’s a few tips:
- Invest in a THM premium membership and do every single AD room and the BOF room (it’d also be worth it to do the privesc rooms and the web exploitation rooms, or really any other room for that matter)
- Do as much of the TJnull’s OSCP-like HTB/PG/THM machines as possible
- If you have a little extra cash maybe try out HTB Academy
- Take good notes during your journey and categorize everything so you have something to fall back on when you’re exhausted during the exam
- Learn WHY tools/exploits work the way they do and how to modify them as needed
- Pay for the PWK lab access if you can shell out the cash (I found it to be a bit weak, but if you’re an absolute beginner the guide + labs will be super helpful)
- Take frequent breaks during the exam
Last but not least: it’s just a certification.. It’s not the end of the world if you fail the first time, and it’s not worth sacrificing your mental health. If you notice yourself burning out take a week or two break. Take care of yourself first. It may be unmotivating failing so frequently when first learning everything, but over time you’ll start to grasp everything.
Oh, P.S.. Don’t be scared of writeups. There’s a huge stigma around using writeups. The huge ego basement dwellers seem to think that using a writeup on a HTB machine is a holy sin and you should rot in hell if you didn’t stare at your screen for 3 days and nights trying to figure the problem out. You don’t know what you don’t know. Try your best to figure it out on your own, but if you’ve been sitting at your computer for 6 hours and can’t even figure out how to get initial access into the box then maybe it’s time to see how others did it. Now you know that technique for next time, make note of it. As a pentester working with other pentesters I assure you, if we see something we’re not familiar with during a pentest we’ll Google the hell out of it until it makes sense. I’ve even come across some situations where I’ve used a HTB writeup on a real-life test.
Well, that’s it! Thanks for sticking around if you made it this far. Obviously I’m not an English major, I don’t write blogs for a living. I’m just trying to get my start in this community and figure other people may want a different perspective. This was just a high-level overview of what I would follow if I had to do it all over again. If you want any specific tutorials or writeups I’d be more than happy to start writing some up. Or if you have any questions, just leave a comment and I’ll do my best to answer it.