Hi everyone, this is the first guest post on my site; courtesy of Bjoern Voitel. You can find him on Twitter at @BjoernVoitel. If you would be interested in guest posting on my site, contact me on Twitter @blueteamblog. Right, lets get into things!

The Offensive Security Certified Professional is one of the most internationally respected penetration testing certifications. A student is required to pass a 24 hour practical exam, where they have to prove, that they follow a systematical approach to enumerate and hack five vulnerable servers. This blog post will describe my journey towards the OSCP certification and will provide useful tips for aspiring students.

Whom is OSCP for?

The OSCP course teaches the participant a systematic methodology to approach penetration tests. If you therefore think the OSCP is for red teams only, you may would like to remodel your opinion. We are seeing a trend towards forming purple teams, where red and blue team members are working together to find the optimal security posture for an enterprise. But from my experience, blue teams can heavily benefit from a deeper insight into the different phases of an attack (scanning, enumeration, exploitation and privilege escalation) in order to better defend their networks and systems.

What prior knowledge is required for the OSCP?

Although one doesn’t has to be engaged in penetration testing, experience in that domain is a plus. A good understanding of how Linux and Windows works is a must and you should also be comfortable with working from the command line. Although programming experience is not required, it is a BIG recommendation. If you don’t have it, I would suggest getting familiar with Bash-Scripting and Python.

On my background: have been working as an Information Security, privacy consultant and pentester for over 10 years now. I earned several certifications over time ranging from networking, ethical hacking, risk and compliance to information security management. I also provide ethical hacker training. But nonetheless, I had to practice a lot (especially in my final preparation in 2020). And this is what the preparation is all about: getting experience with the methodology, getting familiar with a systematic approach and be persistent.

What kind of additional preparation sources would you suggest?

Well, that depends on your level of expertise. For beginners I would recommend TryHackMe. They offer rooms which focus on novices in the field of penetration testing, where they explain the usage of different hacking tools, like nmap, Metasploit, Hydra and Burp. And they also familiarize you with some basic information like Networking, Linux introduction, Python programming tutorial, etc.

For the more experienced hackers Virtual Hacking Labs can also be recommended. They offer a courseware and about 40 vulnerable machines from easy (with some hints on how to hack these) to Advanced+ (where no hints are given). You can also practice writing a report on the exploitation on some of the machines, send that in and earn a certificate for course completion.

HackTheBox is a well-known training ground for hackers for all experience levels. In the free version you can only hack active machines, in the VIP version you’ll also have access to retired machines. If you want to prepare for the OSCP I would recommend buying a VIP subscription. There is a list of servers (mostly retired ones) from a user called TJNull floating around, which is a good lineup of servers to practice on, while being in the final stage of preparing to take the OSCP exam. Also they have some write-ups on these machines explaining every step on how they approached each server. 

I used all three providers for my preparation. All have a discord server with a very helpful community! I was especially weak on privilege escalation. I would recommend buying two courses on this topic for Windows and Linux from Tib3rius on Udemy. This was a very good investment for me, not only in preparation for the OSCP, but also for my daily work as a pentester!

My (very long) preparation journey …

It all started out in January 2012 (yes, no typo, actually over 8 years ago) when I first enrolled in the PWK (yeah, actually it was Penetration Testing with BackTrack (PWB) then) course. I bought a 3 months subscription and I was very eager to start, so I simultaneously read the courseware PDF, watched the videos and attempted to hack into the lab machines. But as I had to do that besides my regular job, I realized that some days of the lab subscription got away unused. And as I made slower progress in the labs, these days suddenly turned into weeks, when I suddenly received a friendly reminder mail, that my lab was going to expire in a few days. I then lay this project completely aside and reentered the arena in 2015 and then again in 2017. After that on and off relationship, I wanted to try the exam in October 2017. By that time I was only relying on the OffSec Labs and didn’t use any other material (naturally the courseware PDF and the lab machines have been updated meanwhile). I failed the first attempt miserably (more on this later on).

It is okay to start with the labs from Offensive Security, but as a first hand preparation, you may should consider taking some (free) HackTheBox or TryHackMe easy rated machines before buying the (additional) lab time. This will get you into the mode for taking a structured approach in the labs. When you start using one of the providers mentioned above, I would HIGHLY RECOMMEND not to make the mistake into simply going through all write-ups in preparation as this would steal away a key experience in practicing the methodology. In the exam you have to be able to find out, which attack vector gives you the initial foothold on a machine. Enumeration is key here. And from my own travel on the rocky road, this is where most people got onto their limits. Also realizing, whether you are going down a rabbit hole (luring you onto a vulnerability when there is actually none or not in this context) is a main learning point. In some of the labs you will be faced with a situation where you see about 10 services running and all seem to be vulnerable. Finding out the correct one and even more important, forcing yourself to move on to the enumerate the other services (when you don’t make any progress) further and deeply enough is the main goal.

Talking about enumeration: one thing which came up to me very late during my preparation was the fact, that it is a very good idea to ALWAYS focus on the non-web services first after scanning all ports. Webserver vulnerabilities are very common, but they cover also the most wide area, making the possibilities for exploitation but also the time spend in enumeration even more vast. So first make sure, you don’t get a foothold using the other services and then turn to the web server as a last step. It would be a waste of precious time, when you enumerate a web server for hours and then find out, that a vulnerability in a FTP server got you root or SYSTEM right after trying a out-of-the-box exploit.

If you get stuck on a box and don’t make any progress, don’t go for the easy route (write-ups). Take a look in the forums (OffSec also has a very good one!) or on Discord. Try to only get a nudge on what is needed for the next step. Also try to think about, why a certain exploit is working or not and what could be the possible reason(s). For example there may be a software firewall doing some egress filtering, so you may have to switch from the vanilla 4444 TCP port to something more frequently used for getting a reverse shell. A tip, which I got from Tib3rius and which helped me a lot: using Port 53 TCP worked for me in 98% of the time. If this doesn’t work, take a look at the ports open on the server, these should be allowed outside in many cases.

I used a recent version of Kali Linux during my lab time, as well as during the exam. You can also go with the VM image provided by OffSec or use a completely different distribution, it is up to you and your preferences. But I would advise getting familiar with the environment and have all your scripts (scanning, enumeration, etc.) in one place. Also install a FTP-, SSH-, web server (I would recommend the Python simpleHTTPServer) and a Samba server (Python Simple SMB Server) on your machine, as these would be beneficial when it comes to transferring files to and from the target machines.

Another question which comes up often from OSCP students is: when will I be ready to take the exam? I have seen several numbers in conjunction with the number of servers hacked in the labs floating around, especially the Big 4 (these refer to the four most difficult servers in the OffSec lab). From my experience: There is not a definite number of machines you have to own in the OffSec lab before you are clear to ace the exam! You are ready to take the exam, when you hacked several of the servers in the lab, on HackTheBox (esp. the ones mentioned in TJNulls list) and e.g. the Advanced and Advanced+ servers on Virtual Hacking Labs. It is not a matter of numbers, it is a matter of experience with the methodology! When you achieved success without consulting the walk-throughs too much, then go for it!

Exam-Day(s)

In the 24h exam you are faced with 5 servers, which distribute between 25 and 10 points each. You have to get root / Administrator or SYSTEM access to get the full points for that machine, but you may get partial points for getting non-privileged access, so documenting these is reasonable if you are on the edge. Also you’ll receive 5 extra points for turning in your lab report. All in all, you need 70 points to pass and deliver a professionally written step-by-step penetration testing report, where a not-so-technical user can reproduce your steps.
 
I decided to take my first exam attempt in October 2017. I scheduled it for the early afternoon in the middle of the week. A bad decision. I was interrupted often by phone calls from customers, couldn’t concentrate therefore and only reached 25 points, without any further progress on the other hosts, not even a non-privileged shell. I felt frustrated and lay the whole project on the side.

When I came back in 2020 I scheduled the second exam attempt for the evening to get away from the potential disturbances of phone calls, emails, etc. The exam is now proctored, meaning a bunch of guys from Offensive Security are now watching you and your screens (you can use multiple) in shifts during the whole time. For me that was not a problem, the OffSec staff members were very polite and I could put in breaks whenever I wanted (IMPORTANT!). With some more practice in enumeration, exploitation and privilege escalation I got about 65 points (root on 25, 20 and user access on a 25) in the end. Not bad, a definite improvement. But this experience was energy draining with only about 3 hours sleep during the night. But nonetheless two days afterwards I rescheduled my exam after the cool-off-period (between failed attempts you have to wait an increasing amount of weeks before you can retry the exam). This time I scheduled it for the early morning on friday. I made sure all phones were unplugged and I had a Out-Of-Office-Reply on my mail accounts, stating, that I would answer my mails after the weekend.
 
I felt ready, when suddenly on wednesday evening my router broke. I bought a new one on thursday morning and quickly reinstalled it restoring my internet access. I quickly realized that it was good fortune, that it didn’t happen on friday during my exam. Offensive Security suggests in their exam guidelines to have a backup internet connection (e.g. via 4G) in place, should the ISP have any problems. Another contingency plan could be to have another location you can quickly move to and work from there.

I started my screen-sharing at 6:45 am and the proctor took me through the ID verification and room scanning with the webcam, and at 7 am I was ready for the exam to start. After receiving my VPN configuration files at exactly that time, I connected and the proctor made sure, that my VPN was working as expected. Then I got into it with the plan to first work on a 25 pointer while scanning the other four servers. About half an hour into the exam – BANG – complete blackout for a few seconds in my area! I began to sweat. I restarted the host and virtual machines. But the Internet connection was not getting up! I called my ISP, they resetted the DSL line and after about 20 mins it was back online. I logged into the proctoring application and restarted my VPN connection again. At least all that went fluidly. I was able to resume my work where I had left off, so a quick power or internet outage is not a real concern.

I quickly got into the exam flow, having a rested mind and a good systematic approach. I quickly got root on the first 25 and 20 after which I took a quick break. After 4 hours into the exam I got root on another 25 box and was relieved to having reached the magical 70 points mark so early. After about 7 hours I also managed the 10 pointer and got a non-privileged reverse shell on the remaining 20 points host. I left it at this, made some screenshots and went to bed. I got up at 4 am in the morning and had 3 hours of exam time left, enough time to create a report draft, and could record any findings in case I missed anything from the machines. I double checked my screenshots, the proofs and began finishing my report. At 6:45 am my connection VPN connection was suspended and the proctor said goodbye. At 8 am my report was finished and I submitted it to Offensive Security.

Offensive Security was very fast on reviewing my report and so I received my results on Monday morning!

My tips for you

• Don’t have any fear of failing the exam. I did twice and in most of the OSCP exam reviews I read, the authors made the same experience. My suggestion is to reschedule as soon as possible and work / practice on your weak areas (mine were enumeration and privilege escalation) during the cool-off-period. That way all concepts keep fresh in your mind while you are getting better.
• Schedule the exam after you have been rested, that was key for me! So I would suggest a early morning appointment.
• Take breaks during the exam! At least every two hours or after an achievement. That will reset your mind and will give you new clues on how to approach a problem you are facing. Also make sure you are drinking and eating enough. Prepare a few snacks the day before and/or a light meal, which you can easily warm up. This will renew your energy during the 24 hours.
• As you will have to provide the report 24 hours after ending the exam (yes, if you end the exam earlier, the clock starts to tick from that minute on), you should have a good report template in place. If you have decided to do the lab report, you may have one already. Depending on your progress in the exam, you may feel completely drained thereafter, so making writing the report easy is a must!
• Have a backup internet connection in place. This could mean getting a spare, cheap DSL router or a 4G/5G mobile connection as a backup. In case of a power outage or longer internet outage from your ISP, it is a good idea to have a second location as your “warm site”, just in case.
• Make a backup of your VM prior to the exam. The last thing you want, is a non-working VM at the time your exam starts.
• Take a systematic approach to tackle the 5 servers. First start working on the easiest and then during that work, scan the others sequentially (I would suggest the order from highest to lowest points).
• Make sure to scan ALL ports! Don’t make any assumptions on what is running on these ports, figure it out. Try to enumerate EVERYTHING (software versions, configurations, not normal behaviour, …).
• While exploiting, make sure you take screenshots for all steps and achievements!
• On the servers you’ll find a local.txt (unprivileged access) and proof.txt (root, Administrator or SYSTEM level access) files. These contain a string which has to be provided to a web portal during the exam.

• IMPORTANT: you also have to take screenshots showing the contents of the file, together with some additional information for the report!I would recommend showing the following information together in one screenshot:

• id / whoami output
• hostname output
• ifconfig / ipconfig output
• contents of local.txt / proof.txt (type / cat)

• If you cannot make any progress on a host, move on to another after 2 hours latest and come back to the problematic server later.
• You may use Metasploit on ONE server. Search the database and make a note on potential, relevant exploits. Use it if you are not making progress with a manual exploit, even if you are early into the exam. This may could give you a confidence boost.
• If you feel that you don’t make any progress, don’t be alarmed. Just remember that OffSec prepared the servers, so that these can all be solved within the 24 hours. Don’t over-complicate things and probably take a step back and take another look on your scan outputs. Remember: take breaks! For me the solution for one PE problem came to my mind during one of my breaks.
• Prepare the report for the labs for an additional 5 points when your threshold is on the edge (about 65 points). You can submit that report together with the exam report and that may be the difference between fail or pass. If I had provided that report, I maybe had not needed the third exam attempt at all.

I hope that this write-up was useful to you in your preparation for the exam. I wish you all the best and take care!

Bjoern Voitel
(Twitter: @BjoernVoitel)