"OSCP is not about clearing the exam. It’s all about working deeply on labs."
--Ramkisan Mohan (Check out his detailed guide to OSCP Preparation
I began my OSCP journey in the late fall of 2018. So far, I've rooted 23+ machines in the PWK labs, and I am still plugging away, hoping to get as many as possible, learn as much as possible and, of course, pass the exam itself.
I want to give a brief description of what the OSCP is and how it is different than other certifications. I also want to provide some advice that may help you along the way if you choose to pursue it.
The quote above says it all. The Offensive Security Certified Professional is primarily about the PWK labs and is where the magic happens.
Lab time is bought in in one- to three-month increments, which gives you VPN access to a shared lab.
30 days access including exam: $800.00
60 days access including exam: $1,000.00
90 days access including exam: $1,150.00
You are also able to buy lab extensions at very affordable rates. These prices include the exam itself.
As far as certification and training goes, the OSCP is very affordable. Much more affordable than just about any other training program or certification. Where the OSCP is very expensive is in terms of time. It takes most people hundreds of hours of time, but the good news is the labs are actually quite fun (well, at least most of the time.) At times, it is a bit like playing a video game. In terms of value for both your time and money, really nothing beats the return that the OSCP provides.
In addition to VPN access to the PWK labs, the course includes a PDF training manual, video tutorials, an IRC chat channel, access to the forums and access to ask staff questions. The quality of the training manual is quite good in its own right, but it also serves as an enumeration tool: like Chekhov's Gun
, if you find it in the manual, chances are you'll likely run into it in the labs and you'll find yourself going back to the manual frequently.
The exam itself is just a smaller version of the labs. You are given 23 hours and 45 minutes to root as many machines as you can, and there are just a few in the exam. Partial credit is given for low privilege shells. The best part about the labs is that nothing is off limits, so you can use any tools you want and any methods you want with very few limitations. However, there are some restrictions on the actual exam. Those exceptions can be found on their website
and basically boil down to not using commercial automated tools for vulnerability scanning and for exploitation. There are no restrictions for nmap. During the less restricted labs, it is good practice to redo a system again “manually” after you were able to use it using a more automated method that isn’t allowed in the actual exam
General advice and warnings, for whatever they are worth:
There is no need to wait until you are ready for the PWK labs
I would recommend jumping in right away no matter where you are with your knowledge, your career or your experience level. You'll learn more, learn faster, and have more fun doing it in the PWK labs than you ever will reading books or taking an online class. Sure, you'll probably fail the first time (or few times), but the whole point is learning and enjoying the experience. I began this with pretty weak web hacking skills and procrastinating hacking machines where I knew that was the way in, but after a while, I took the time to develop those skills. The books and classes never really stuck until I had to actually do the website hacking. If you do decide to take a class or read a book before and/or during the labs, I recommend these resources:
My personal favorite provider is Udemy with classes on nmap, Metasploit, ethical hacking/penetration testing, python, Linux and web hacking
Penetration Testing--A Hands-On Introduction to Hacking
by Georgia Weidman
The Web Application Hacker's Handbook
by Dafydd Stuttard and Marcus Pinto
Hacking – The Art of Exploitation
by Jon Erickson
The YouTube Channel IPPSEC
and his OSCP playlist
These videos are of far better quality than the majority you'll find out there. These are walkthroughs from Hack The Box, chosen for their similarity to OSCP machines.
Backup your Kali images on a regular basis and have at least 2 images going at any given time.
Kali breaks and is unreliable. The software running on Kali breaks. One very common problem immediately after running updates on a Kali image is an infinite login loop, but this is easily solved. Here is a YouTube video
telling you how to, but that isn't the only problem you may run across. I've had Kali go south on me quite a few times. Save yourself some trouble and back up at least once a week and have at least two good Kali images at any given time. I would also recommend having both a 32-bit and 64-bit version, but if you don’t, keep in mind which you have when you are compiling code and what you are compiling it for.
For example, if you want to run nosqlmap.py, you will need a local version of MongoDB. If you want to install MongoDB, the latest version does not support 32-bit x86, you’ll run into situations like this, so it is good to be prepared.
Use this sed command
If you are downloading and editing bash, python or other scripts on a Windows machine so you can use a tool like Notepadd++ when you are on Kali, you need to do something like this to clean up the carriage returns: sed -i -e 's/\r$//' <script name>
I'm only adding this simple and perhaps obvious detail because it is missing in most other people's OSCP prep guides even though they include other obvious things like how to use the find and locate command. The command dos2unix
usually works, too.
Reverse shells are clumsy and will not work like shells you are used to
It can be really frustrating to have a reverse shell (or think you have one), run a command and not see anything come back and not even know if it ran or not. Sometimes, there is a simple solution like adding a "2&>1" at the end of your command. There are many other things you can do to clean up your shell and tty. One of the most common is: python -c ‘import pty; pty.spawn(“/bin/bash”)’
Here is a cheat sheet that will help you:
- Remember the lab is shared: Revert, Revert, Revert!
When you begin working on a machine, revert it before you begin and after you are finished. Failing to do this has worked both in my favor and against me. I had low privilege access to a machine and saw a file on the system that somebody else had placed there, and it was a dead giveaway of what I had to do next to get root. Conversely, I scanned a system, worked on it feverishly for an embarrassingly long time until I rescanned and saw a running service that I didn't see during my initial scans. Many exploits, if they initially fail, will simply kill a service. If you scan during this time, you’ll simply miss it. You are given a control panel to revert systems, and it should be used. For some reason, I started out being very hesitant to revert but have grown to use it more liberally as I progressed through the labs. Sometimes, someone else will revert while you are on a machine so this is why note taking is so important.
Do the Alpha walkthrough first
The forums have a walkthrough on alpha. I had no idea that this was available. The very first thing I would recommend to do in the labs is figuring out what the DNS servers are and changing your /etc/resolv.conf accordingly. It is a nice challenging box and a great way to get your feet wet.
Escaping the rabbit hole
I wish I had good advice on this, but going down rabbit holes, sometimes for days, is just part of the learning experience and is an inescapable reality of these labs (and hacking in general). It helps sometimes to give yourself some type of time limit and then to move on to another machine or another possible attack vector. I know this will be even more important in the actual exam itself.
Privilege Escalation is fun
Sometimes, you go from absolutely no access at all directly to root with nothing in between, but what I find to be the most challenging and engaging is to get a low privilege shell and work yourself up from there. These boxes were by far my favorite boxes. One reason is that you never feel completely stuck against a brick wall because you can continue to pursue the slogan: Enumerate! Enumerate! Enumerate! Many times you will find the correct vulnerability to exploit, find a script or tool to do the job, but it won’t work as is. Often, it only requires a small change to get it to work and demands that you actually better understand the exploit and the vulnerability.
Download this github content
You’ll need a lot more than that from github, but this is a good start.
Check out other people’s advice and work
There are tons of great articles, blog posts, YouTube videos and GitHub repositories dedicated to help you pass the OSCP. Take advantage of them.
I certainly hope to pass my first go around, but I know the majority of people do not. If I'm one of those majority people, I will continue to practice at Hack-The-Box and sharpen my skills at which I'm weak and give it another try at a later date. As the quote above says, it is more about the labs than the exam (but I will pass eventually). Wherever you are in your skill level, I recommend the PWK labs to anybody that wants these skills. They're much better than books, YouTube videos, online classes or even other certifications. You will feel engaged and will be learning immediately and be supported from day one.
John Wenning GPEN, CISSP, ZCE, GSEC, MCSE (and soon: OSCP!)